Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe

Overview

General Information

Sample name:739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe
Analysis ID:1446056
MD5:784ba798f9aa395a8ed0cd2d1e557320
SHA1:d368d6b2507f3523702b855a19f0b6eb8380320b
SHA256:3979eb243225878a1331722d77eeb7d5937691a9e81322bfe24f5ae23aa855f6
Tags:AgentTeslaexeFedEx
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe (PID: 4232 cmdline: "C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe" MD5: 784BA798F9AA395A8ED0CD2D1E557320)
    • powershell.exe (PID: 4508 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 2992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • skyT.exe (PID: 2036 cmdline: "C:\Users\user\AppData\Roaming\skyT\skyT.exe" MD5: 784BA798F9AA395A8ED0CD2D1E557320)
    • skyT.exe (PID: 1396 cmdline: "C:\Users\user\AppData\Roaming\skyT\skyT.exe" MD5: 784BA798F9AA395A8ED0CD2D1E557320)
  • skyT.exe (PID: 1020 cmdline: "C:\Users\user\AppData\Roaming\skyT\skyT.exe" MD5: 784BA798F9AA395A8ED0CD2D1E557320)
    • skyT.exe (PID: 1656 cmdline: "C:\Users\user\AppData\Roaming\skyT\skyT.exe" MD5: 784BA798F9AA395A8ED0CD2D1E557320)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.adgumrukmusavirligi.com", "Username": "gizemcevik@adgumrukmusavirligi.com", "Password": "GizCvk2019!."}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.2357943673.0000000003B41000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000009.00000002.2357943673.0000000003B41000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000009.00000002.2357943673.0000000003BB8000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000009.00000002.2357943673.0000000003BB8000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000007.00000002.4569543128.0000000000430000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 23 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            6.2.skyT.exe.4558350.8.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              6.2.skyT.exe.4558350.8.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                6.2.skyT.exe.4558350.8.raw.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x3373a:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x337ac:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x33836:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x338c8:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x33932:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x339a4:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x33a3a:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x33aca:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                6.2.skyT.exe.451d730.9.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  6.2.skyT.exe.451d730.9.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 33 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe", ParentImage: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, ParentProcessId: 4232, ParentProcessName: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe", ProcessId: 4508, ProcessName: powershell.exe
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\skyT\skyT.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, ProcessId: 3160, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\skyT
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe", ParentImage: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, ParentProcessId: 4232, ParentProcessName: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe", ProcessId: 4508, ProcessName: powershell.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 94.199.206.42, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, Initiated: true, ProcessId: 3160, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 60100
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe", ParentImage: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, ParentProcessId: 4232, ParentProcessName: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe", ProcessId: 4508, ProcessName: powershell.exe

                    Snort Signatures

                    Timestamp:05/22/24-22:03:11.679391
                    SID:2030171
                    Source Port:60101
                    Destination Port:587
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:05/22/24-22:03:11.679391
                    SID:2839723
                    Source Port:60101
                    Destination Port:587
                    Protocol:TCP
                    Classtype:A Network Trojan was detected

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeAvira: detected
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeAvira: detection malicious, Label: TR/AD.GenSteal.xzcol
                    Found malware configuration
                    Source: 6.2.skyT.exe.451d730.9.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.adgumrukmusavirligi.com", "Username": "gizemcevik@adgumrukmusavirligi.com", "Password": "GizCvk2019!."}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeReversingLabs: Detection: 31%
                    Multi AV Scanner detection for submitted file
                    Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeReversingLabs: Detection: 31%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeJoe Sandbox ML: detected
                    Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeCode function: 4x nop then jmp 073CBF37h0_2_073CBC83
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 4x nop then jmp 0772B847h6_2_0772B593
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 4x nop then jmp 06CEB847h9_2_06CEB593

                    Networking

                    barindex
                    Snort IDS alert for network traffic
                    Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.6:60101 -> 94.199.206.42:587
                    Source: TrafficSnort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.6:60101 -> 94.199.206.42:587
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44682b0.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.442d690.7.raw.unpack, type: UNPACKEDPE
                    Source: global trafficTCP traffic: 192.168.2.6:60100 -> 94.199.206.42:587
                    Source: Joe Sandbox ViewIP Address: 94.199.206.42 94.199.206.42
                    Source: Joe Sandbox ViewASN Name: AEROTEK-ASTR AEROTEK-ASTR
                    Source: global trafficTCP traffic: 192.168.2.6:60100 -> 94.199.206.42:587
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficDNS traffic detected: DNS query: mail.adgumrukmusavirligi.com
                    Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000004.00000002.4573708134.0000000002CDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://adgumrukmusavirligi.com
                    Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000004.00000002.4573708134.0000000002CDD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.adgumrukmusavirligi.com
                    Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000000.00000002.2136429481.000000000315D000.00000004.00000800.00020000.00000000.sdmp, skyT.exe, 00000006.00000002.2294417914.000000000324D000.00000004.00000800.00020000.00000000.sdmp, skyT.exe, 00000009.00000002.2353162012.00000000028B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000000.00000002.2137030214.000000000442D000.00000004.00000800.00020000.00000000.sdmp, 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000000.00000002.2137030214.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, skyT.exe, 00000006.00000002.2295766136.000000000451D000.00000004.00000800.00020000.00000000.sdmp, skyT.exe, 00000007.00000002.4569543128.0000000000430000.00000040.00000400.00020000.00000000.sdmp, skyT.exe, 00000009.00000002.2357943673.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, skyT.exe, 00000009.00000002.2357943673.0000000003BB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44682b0.8.raw.unpack, cPKWk.cs.Net Code: m1v5IQ8
                    Installs a global keyboard hook
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\skyT\skyT.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\skyT\skyT.exe
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeWindow created: window name: CLIPBRDWNDCLASS

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 6.2.skyT.exe.4558350.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 6.2.skyT.exe.451d730.9.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.442d690.7.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 9.2.skyT.exe.3b41b18.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 9.2.skyT.exe.3b41b18.6.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44682b0.8.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 6.2.skyT.exe.4558350.8.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 9.2.skyT.exe.3bb8bd0.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 9.2.skyT.exe.3bb8bd0.7.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 6.2.skyT.exe.451d730.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44682b0.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.442d690.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    .NET source code contains very large array initializations
                    Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, Resources.csLarge array initialization: : array initializer size 635609
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeCode function: 0_2_017CE02C0_2_017CE02C
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeCode function: 0_2_073CB3920_2_073CB392
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeCode function: 0_2_073C83000_2_073C8300
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeCode function: 0_2_073C63E80_2_073C63E8
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeCode function: 0_2_073C82F00_2_073C82F0
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeCode function: 0_2_073CE1200_2_073CE120
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeCode function: 0_2_073C5FB00_2_073C5FB0
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeCode function: 0_2_073C7EB80_2_073C7EB8
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeCode function: 0_2_073C7EC80_2_073C7EC8
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeCode function: 0_2_073C7A900_2_073C7A90
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeCode function: 0_2_073C7A800_2_073C7A80
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeCode function: 4_2_02B097584_2_02B09758
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeCode function: 4_2_02B04AA84_2_02B04AA8
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeCode function: 4_2_02B03E904_2_02B03E90
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeCode function: 4_2_02B08F904_2_02B08F90
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeCode function: 4_2_02B0CC184_2_02B0CC18
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeCode function: 4_2_02B041D84_2_02B041D8
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeCode function: 4_2_02B0CFC24_2_02B0CFC2
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeCode function: 4_2_062C17684_2_062C1768
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeCode function: 4_2_062C2F104_2_062C2F10
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeCode function: 4_2_062C6DDC4_2_062C6DDC
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeCode function: 4_2_062C09C04_2_062C09C0
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeCode function: 4_2_062C81084_2_062C8108
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeCode function: 4_2_062C81034_2_062C8103
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeCode function: 4_2_062C8DF74_2_062C8DF7
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeCode function: 4_2_062C28284_2_062C2828
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 6_2_02FBE02C6_2_02FBE02C
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 6_2_077283006_2_07728300
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 6_2_077263E86_2_077263E8
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 6_2_077282F06_2_077282F0
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 6_2_07727EC86_2_07727EC8
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 6_2_07727EB86_2_07727EB8
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 6_2_0772DA386_2_0772DA38
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 6_2_07727A906_2_07727A90
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 6_2_07727A806_2_07727A80
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 7_2_02C591D87_2_02C591D8
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 7_2_02C596287_2_02C59628
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 7_2_02C5CAE87_2_02C5CAE8
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 7_2_02C54AA87_2_02C54AA8
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 7_2_02C53E907_2_02C53E90
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 7_2_02C58E5C7_2_02C58E5C
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 7_2_02C541D87_2_02C541D8
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 7_2_02C519C07_2_02C519C0
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 7_2_063804487_2_06380448
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 7_2_063811F07_2_063811F0
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 7_2_06386C547_2_06386C54
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 7_2_06382D987_2_06382D98
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 7_2_063822B07_2_063822B0
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 7_2_06387F887_2_06387F88
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 7_2_06387F827_2_06387F82
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 7_2_06388C767_2_06388C76
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 7_2_02C5CE907_2_02C5CE90
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 9_2_026BE02C9_2_026BE02C
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 9_2_04D100409_2_04D10040
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 9_2_04D1001F9_2_04D1001F
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 9_2_04D1AF309_2_04D1AF30
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 9_2_06CE82FB9_2_06CE82FB
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 9_2_06CE63E89_2_06CE63E8
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 9_2_06CE83009_2_06CE8300
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 9_2_06CE7EC89_2_06CE7EC8
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 9_2_06CE7EC39_2_06CE7EC3
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 9_2_06CE7EF59_2_06CE7EF5
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 9_2_06CE5FB09_2_06CE5FB0
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 9_2_06CE7A8B9_2_06CE7A8B
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 9_2_06CE7A909_2_06CE7A90
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 9_2_06CEDA389_2_06CEDA38
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 10_2_017E962810_2_017E9628
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 10_2_017ECAE810_2_017ECAE8
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 10_2_017E4AA810_2_017E4AA8
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 10_2_017E3E9010_2_017E3E90
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 10_2_017E41D810_2_017E41D8
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 10_2_0664044810_2_06640448
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 10_2_06646C5410_2_06646C54
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 10_2_06647F8310_2_06647F83
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 10_2_06647F8810_2_06647F88
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 10_2_06648C7710_2_06648C77
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 10_2_06646C4810_2_06646C48
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 10_2_017ECE9010_2_017ECE90
                    Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000000.00000002.2140332453.0000000007F20000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe
                    Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000000.00000002.2134386068.00000000012EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe
                    Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000000.00000002.2139860310.00000000076C0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe
                    Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000000.00000002.2136429481.000000000315D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename10920149-2e8b-4d10-98dd-faef01bf06fc.exe4 vs 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe
                    Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000000.00000000.2102695337.0000000000E6A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameLoud.exeJ vs 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe
                    Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000000.00000002.2136429481.00000000030F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe
                    Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000000.00000002.2137030214.000000000442D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename10920149-2e8b-4d10-98dd-faef01bf06fc.exe4 vs 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe
                    Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000000.00000002.2137030214.000000000442D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe
                    Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000004.00000002.4570035103.0000000000D38000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe
                    Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeBinary or memory string: OriginalFilenameLoud.exeJ vs 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe
                    Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 6.2.skyT.exe.4558350.8.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 6.2.skyT.exe.451d730.9.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.442d690.7.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 9.2.skyT.exe.3b41b18.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 9.2.skyT.exe.3b41b18.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44682b0.8.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 6.2.skyT.exe.4558350.8.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 9.2.skyT.exe.3bb8bd0.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 9.2.skyT.exe.3bb8bd0.7.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 6.2.skyT.exe.451d730.9.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44682b0.8.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.442d690.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44682b0.8.raw.unpack, cPs8D.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44682b0.8.raw.unpack, 72CF8egH.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44682b0.8.raw.unpack, G5CXsdn.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44682b0.8.raw.unpack, 3uPsILA6U.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44682b0.8.raw.unpack, 6oQOw74dfIt.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44682b0.8.raw.unpack, aMIWm.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                    Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44682b0.8.raw.unpack, 3QjbQ514BDx.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44682b0.8.raw.unpack, 3QjbQ514BDx.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44d5ca0.9.raw.unpack, I8o55IfytmgWdxmM3Y.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44d5ca0.9.raw.unpack, I8o55IfytmgWdxmM3Y.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44d5ca0.9.raw.unpack, I8o55IfytmgWdxmM3Y.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44d5ca0.9.raw.unpack, mjY8HAPE3JTDE1XrJ4.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.3143a20.1.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                    Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.3133a14.6.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                    Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.349dda4.0.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                    Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.7360000.10.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@12/9@1/1
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.logJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2992:120:WilError_03
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeMutant created: \Sessions\1\BaseNamedObjects\UZnjywb
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gdqkews5.pfg.ps1Jump to behavior
                    Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000004.00000002.4573708134.0000000002D59000.00000004.00000800.00020000.00000000.sdmp, 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000004.00000002.4573708134.0000000002D46000.00000004.00000800.00020000.00000000.sdmp, skyT.exe, 00000007.00000002.4573886453.0000000002EF4000.00000004.00000800.00020000.00000000.sdmp, skyT.exe, 00000007.00000002.4573886453.0000000002F08000.00000004.00000800.00020000.00000000.sdmp, skyT.exe, 0000000A.00000002.4574644878.0000000003309000.00000004.00000800.00020000.00000000.sdmp, skyT.exe, 0000000A.00000002.4574644878.00000000032F5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeReversingLabs: Detection: 31%
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeFile read: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe "C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe"
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe"
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess created: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe "C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\skyT\skyT.exe "C:\Users\user\AppData\Roaming\skyT\skyT.exe"
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess created: C:\Users\user\AppData\Roaming\skyT\skyT.exe "C:\Users\user\AppData\Roaming\skyT\skyT.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\skyT\skyT.exe "C:\Users\user\AppData\Roaming\skyT\skyT.exe"
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess created: C:\Users\user\AppData\Roaming\skyT\skyT.exe "C:\Users\user\AppData\Roaming\skyT\skyT.exe"
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess created: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe "C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess created: C:\Users\user\AppData\Roaming\skyT\skyT.exe "C:\Users\user\AppData\Roaming\skyT\skyT.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess created: C:\Users\user\AppData\Roaming\skyT\skyT.exe "C:\Users\user\AppData\Roaming\skyT\skyT.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: vaultcli.dll
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeSection loaded: edputil.dll
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, GameOfLife.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                    Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, GameOfLife.cs.Net Code: InitializeComponent contains xor as well as GetObject
                    Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44d5ca0.9.raw.unpack, I8o55IfytmgWdxmM3Y.cs.Net Code: HNZ2kEsUwE System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.7f20000.13.raw.unpack, LoginForm.cs.Net Code: _206B_206C_202A_202D_206F_206F_206C_202D_206A_202A_200B_206C_206E_206A_206D_206B_202C_206E_200C_206F_200D_206D_200C_200F_202C_206C_202E_206B_202B_202E_206E_206B_206B_206D_206C_202C_200D_202E_202C_200E_202E System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.31165f8.3.raw.unpack, LoginForm.cs.Net Code: _206B_206C_202A_202D_206F_206F_206C_202D_206A_202A_200B_206C_206E_206A_206D_206B_202C_206E_200C_206F_200D_206D_200C_200F_202C_206C_202E_206B_202B_202E_206E_206B_206B_206D_206C_202C_200D_202E_202C_200E_202E System.Reflection.Assembly.Load(byte[])
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeCode function: 0_2_017CB920 push 18418B05h; ret 0_2_017CBB83
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 9_2_026BE16A push ebx; retf 9_2_026BE172
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 9_2_04D122A1 push ebp; retf 9_2_04D122A3
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 9_2_04D163D0 pushfd ; retf 9_2_04D163D6
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 9_2_04D18FA0 pushfd ; retf 9_2_04D18FAE
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 9_2_04D11498 push esi; retf 9_2_04D1179E
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 9_2_04D110C3 push esp; retf 9_2_04D110D2
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 9_2_04D110B3 push esi; retf 9_2_04D110B2
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 9_2_04D110B3 push edi; retf 9_2_04D110C2
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 9_2_04D110A7 push esi; retf 9_2_04D110B2
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 9_2_04D11E97 push esp; retf 9_2_04D11EA6
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 9_2_04D11850 push esp; retf 9_2_04D1185E
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 9_2_06CEBECA push esp; retf 9_2_06CEBED6
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 9_2_06CE2F88 pushad ; iretd 9_2_06CE2F89
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 9_2_06CE8A70 pushad ; iretd 9_2_06CE8A79
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 9_2_06CE8947 push eax; iretd 9_2_06CE8949
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 10_2_066422A0 push cs; iretd 10_2_066422AA
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeCode function: 10_2_06641913 push es; iretd 10_2_0664191A
                    Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeStatic PE information: section name: .text entropy: 7.964960726010625
                    Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44d5ca0.9.raw.unpack, YStk5IOYjMqj0EeRG4.csHigh entropy of concatenated method names: 'y8llyA8diO', 'cuKlUMhg9u', 'jnRlsXm49E', 'ONGshFIwPZ', 'HTdszZ9seA', 'pq7lKcEjWV', 'zjwlNTxCIJ', 'O90lZYF4HG', 'Lxilv0uNZL', 'gSEl2RQsNf'
                    Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44d5ca0.9.raw.unpack, mjY8HAPE3JTDE1XrJ4.csHigh entropy of concatenated method names: 'CwnJeie5Vh', 'pQYJHhZWuj', 'rKPJu7y2sN', 'a7MJbSn4TV', 'SfDJX2wmt6', 'ySGJg3Np7C', 'Bj1JB3Bqpy', 'PiDJV7DmWn', 'xhOJ0hxx3g', 'CQUJhNxoCR'
                    Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44d5ca0.9.raw.unpack, I8o55IfytmgWdxmM3Y.csHigh entropy of concatenated method names: 'Gjav8yXRGC', 'SEavyyESvT', 'xNMvJImL4Y', 'XOvvU4QPx6', 'DDHvrWlq6o', 'KcCvs0U4om', 'dWqvlRr3hu', 'g3ivfqwuFY', 'He1viogOg5', 'NaVv3d3uHQ'
                    Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44d5ca0.9.raw.unpack, sSUVfO93Njxw0miDEa.csHigh entropy of concatenated method names: 'qDhrw7ROkD', 'zVWrYmXT0I', 'yOZUckIxln', 'UpTUp0EyAY', 'vyfULylTm6', 'dNuU7xQJ92', 'Go0UOxbY9L', 'hfTU6w9XWX', 'S5gUSQXvfd', 'FNnUaOW8iT'
                    Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44d5ca0.9.raw.unpack, ckDAAq0mjRsFIG5IC4.csHigh entropy of concatenated method names: 'iBRnGa5XFc', 'EBwn5fmbkp', 'N4Znc4Ki5G', 'bpWnp07a2R', 'iuVneruxgT', 'AAKnLwxCnL', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44d5ca0.9.raw.unpack, qef9sBImAwUNe94EJd.csHigh entropy of concatenated method names: 'heIqPYwsin', 'V4FqjccVv7', 'yZ5qGPXVTZ', 'zSBq50q9Xw', 'rZEqp6tJ3d', 'gMVqLOd4PL', 'chNqOU9AHH', 'k2Rq6FBom0', 'AnIqa7527c', 'CG4qQuVj62'
                    Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44d5ca0.9.raw.unpack, PmKD6VgRIMxp3hCBB0.csHigh entropy of concatenated method names: 'grUtV5OgEQ', 'gytthVNKZT', 'H2lnK47xyc', 'Ay5nNgjpsn', 'KxUtQtXUhT', 'r1ctxOJGHL', 'pT4tIqKbA8', 'xLateO1Ql6', 'j08tHATUQv', 'cdituq5OWn'
                    Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44d5ca0.9.raw.unpack, wYWvuM2xsZWf6Kko5I.csHigh entropy of concatenated method names: 'r1RNljY8HA', 's3JNfTDE1X', 'lyrN3qFEvp', 'Ow4NRNFSUV', 'viDNdEaJCh', 'rlXNA2iTj9', 'NqHNhaBvGDcJlpywvy', 'S2QJTPjyandZlgOs0U', 'VhLNNXbr38', 'GsWNvEo9B3'
                    Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44d5ca0.9.raw.unpack, KBhn4QhP2O2VFnHvhf.csHigh entropy of concatenated method names: 'llsENjs9Ls', 'YbTEv2RvpX', 'D8hE2ICTq7', 'wt3Ey06JQ7', 'G7sEJw8cU5', 'gXUEroGhe9', 'G4wEs6lbkt', 'wasnB1mTGW', 'lg2nVWZZHZ', 'ULin0MYuHt'
                    Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44d5ca0.9.raw.unpack, PyTJP3jyrqFEvpQw4N.csHigh entropy of concatenated method names: 'asPUo4SVpj', 'krsUTqQo7E', 'KIqUP1LfPF', 'ITaUj2QrNf', 'l7nUdJFqYc', 'J89UAkOhB0', 'U5jUtpsvLh', 'TagUnQV396', 'PUZUEw2GIG', 'tGjUFS0NsB'
                    Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44d5ca0.9.raw.unpack, fEX4WANvdXcGc1eTU4s.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'njnFer97Jr', 'DqLFHsYJNP', 'GlGFuLWHIL', 'mY2FbaJRQB', 'd9VFXvSr2G', 'VMiFgrDG0F', 'Gj3FB4Xl72'
                    Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44d5ca0.9.raw.unpack, nrUakDuYsKXrr3RcGT.csHigh entropy of concatenated method names: 'ToString', 'Ay1AQ3Spsq', 'kcyA5bSECd', 'XcNAcFFY3Z', 'KHIApPZ7p3', 'SNIALOJx0B', 'IHjA78DbDf', 'w0XAOlgllW', 's1bA60fibD', 'HbTASnQaqS'
                    Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44d5ca0.9.raw.unpack, QKKt0uZUBaLghvtnCj.csHigh entropy of concatenated method names: 'b70kvT54C', 'CiZob7nA8', 'R13TBIVlf', 'JRLYvuyaI', 'hbfjGIJDu', 'le89xYK6B', 'ADEchtw4raIhp8inyc', 'J8p8vUQZGBMtl2syki', 'rBBn7x4Ip', 'TCXFxVK9m'
                    Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44d5ca0.9.raw.unpack, xlbPoNSZIT2A7lpgVn.csHigh entropy of concatenated method names: 'eiZlDEjjTU', 'GKVlMcUlPL', 'MONlktd5X2', 'bpdloA1lth', 'yE0lwJssSf', 'vrZlTkRJXx', 'Aq4lYXO7YR', 'UNglPrrvBu', 'g6hljWy2Q0', 'YSDl9b1g21'
                    Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44d5ca0.9.raw.unpack, gChElXG2iTj9pmYkL4.csHigh entropy of concatenated method names: 'owWs8F6uNm', 'DaYsJjUolR', 'CyysrV9f1o', 'R8Ksl90Xsy', 'BfesfrTR3j', 'yeqrXhIbPr', 'NbHrg8xyFS', 'n1HrBKeELh', 'vFZrVfkvw1', 'jOHr0oRCC6'
                    Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44d5ca0.9.raw.unpack, idbalSevs0md1CRtV0.csHigh entropy of concatenated method names: 'EVYda1gQlQ', 'ehZdxvEubf', 'XvZdeEuHrW', 'neBdHorEwW', 'AlHd5D7rRk', 'NKxdcHKGpD', 'OLedpyd6sR', 'yUcdLpCifq', 'UNad7SSl8N', 'LradOriPNC'
                    Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44d5ca0.9.raw.unpack, eXZIWhV1g8iGIrxMco.csHigh entropy of concatenated method names: 'pLvnyKoxD2', 'ChsnJEwAfE', 'wRUnU24gfA', 'c51nrG2IAI', 'E4unsEIJkp', 'yPMnlR85hX', 'lxdnfLnRE4', 'vhEnidjqWq', 'Wjxn3bUtkn', 'P3knR8wKZW'
                    Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44d5ca0.9.raw.unpack, oQXkeEJFwLoP2MaAn3.csHigh entropy of concatenated method names: 'Dispose', 'jFcN0qCPq3', 'IfgZ5ZWbZQ', 'Ggk44gJNKi', 'j8XNhZIWh1', 'U8iNzGIrxM', 'ProcessDialogKey', 'IoZZKkDAAq', 'vjRZNsFIG5', 'QC4ZZ7Bhn4'
                    Source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44d5ca0.9.raw.unpack, yHAGFTNKKDjK5iO9ZJr.csHigh entropy of concatenated method names: 'uUgED16u5h', 'VtgEMQxdPf', 'pQJEk7rjCD', 'gdPEocDeKA', 'Tf0Ewb2H7K', 'SlCETQ5kEF', 'hTlEY9NTpS', 'f04EPnBWQv', 'KOCEj5W48V', 'cWoE9pccNk'
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeFile created: C:\Users\user\AppData\Roaming\skyT\skyT.exeJump to dropped file
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run skyTJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run skyTJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeFile opened: C:\Users\user\AppData\Roaming\skyT\skyT.exe:Zone.Identifier read attributes | deleteJump to behavior
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe PID: 4232, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: skyT.exe PID: 2036, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: skyT.exe PID: 1020, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeMemory allocated: 17A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeMemory allocated: 30F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeMemory allocated: 50F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeMemory allocated: 7F40000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeMemory allocated: 8F40000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeMemory allocated: 90F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeMemory allocated: A0F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeMemory allocated: 11B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeMemory allocated: 2C70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeMemory allocated: 4C70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeMemory allocated: 2F70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeMemory allocated: 31E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeMemory allocated: 3000000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeMemory allocated: 7A20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeMemory allocated: 8A20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeMemory allocated: 7A20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeMemory allocated: 2C50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeMemory allocated: 2E20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeMemory allocated: 4E20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeMemory allocated: 25C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeMemory allocated: 2840000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeMemory allocated: 25C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeMemory allocated: 7060000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeMemory allocated: 8060000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeMemory allocated: 82F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeMemory allocated: 92F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeMemory allocated: 1690000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeMemory allocated: 3220000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeMemory allocated: 3130000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2400000Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2399890Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2399781Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2399670Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2399547Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2399437Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2399327Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2399217Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2399094Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2398969Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2398860Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2398735Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2398610Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2398485Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2398344Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2398234Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2398125Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2398014Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2397891Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2397766Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2397656Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2397547Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2397438Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2397313Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2397188Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2397078Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2396969Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2396844Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2396735Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2396610Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2396496Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2396389Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2396262Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2396156Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2396045Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2395933Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2395813Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2395703Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2395591Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2395469Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2395360Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2395235Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2395110Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2394985Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2394860Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2394749Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2394640Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2394531Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2394422Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2394281Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2400000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2399891Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2399781Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2399657Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2399547Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2399436Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2399328Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2399219Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2399110Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2398969Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2398844Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2398726Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2398625Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2398516Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2398391Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2398031Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2397922Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2397813Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2397688Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2397563Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2397453Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2397340Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2397234Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2397125Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2397016Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2396891Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2396782Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2396657Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2396532Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2396420Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2396309Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2396203Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2396094Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2395979Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2395875Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2395762Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2395641Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2395516Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2395391Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2395282Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2395157Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2395032Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2394918Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2394803Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2394686Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2394578Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2394469Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2394344Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2394234Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2394124Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2400000
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2399887
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2399776
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2399656
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2399545
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2399437
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2399328
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2399218
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2399109
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2399000
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2398890
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2398780
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2398671
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2398561
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2398453
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2398343
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2398234
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2398122
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2398015
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2397906
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2397796
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2397687
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2397578
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2397466
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2397355
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2397234
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2397125
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2397015
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2396906
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2396796
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2396685
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2396578
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2396468
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2396359
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2396250
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2396140
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2396030
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2395921
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2395812
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2395703
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2395593
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2395484
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2395374
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2395265
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2395156
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2395046
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2394937
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2394828
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2394718
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2394609
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2394500
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6041Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3278Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeWindow / User API: threadDelayed 2340Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeWindow / User API: threadDelayed 7492Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeWindow / User API: threadDelayed 6900Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeWindow / User API: threadDelayed 2943Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeWindow / User API: threadDelayed 2312
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeWindow / User API: threadDelayed 7541
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 3080Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2548Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5004Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548Thread sleep count: 39 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548Thread sleep time: -35971150943733603s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548Thread sleep time: -2400000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 2612Thread sleep count: 2340 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548Thread sleep time: -2399890s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 2612Thread sleep count: 7492 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548Thread sleep time: -2399781s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548Thread sleep time: -2399670s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548Thread sleep time: -2399547s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548Thread sleep time: -2399437s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548Thread sleep time: -2399327s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548Thread sleep time: -2399217s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548Thread sleep time: -2399094s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548Thread sleep time: -2398969s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548Thread sleep time: -2398860s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548Thread sleep time: -2398735s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548Thread sleep time: -2398610s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548Thread sleep time: -2398485s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548Thread sleep time: -2398344s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548Thread sleep time: -2398234s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548Thread sleep time: -2398125s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548Thread sleep time: -2398014s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548Thread sleep time: -2397891s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548Thread sleep time: -2397766s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548Thread sleep time: -2397656s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548Thread sleep time: -2397547s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548Thread sleep time: -2397438s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548Thread sleep time: -2397313s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548Thread sleep time: -2397188s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548Thread sleep time: -2397078s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548Thread sleep time: -2396969s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548Thread sleep time: -2396844s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548Thread sleep time: -2396735s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548Thread sleep time: -2396610s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548Thread sleep time: -2396496s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548Thread sleep time: -2396389s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548Thread sleep time: -2396262s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548Thread sleep time: -2396156s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548Thread sleep time: -2396045s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548Thread sleep time: -2395933s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548Thread sleep time: -2395813s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548Thread sleep time: -2395703s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548Thread sleep time: -2395591s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548Thread sleep time: -2395469s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548Thread sleep time: -2395360s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548Thread sleep time: -2395235s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548Thread sleep time: -2395110s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548Thread sleep time: -2394985s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548Thread sleep time: -2394860s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548Thread sleep time: -2394749s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548Thread sleep time: -2394640s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548Thread sleep time: -2394531s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548Thread sleep time: -2394422s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe TID: 1548Thread sleep time: -2394281s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4328Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084Thread sleep count: 31 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084Thread sleep time: -28592453314249787s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084Thread sleep time: -2400000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084Thread sleep time: -2399891s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 3924Thread sleep count: 6900 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 3924Thread sleep count: 2943 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084Thread sleep time: -2399781s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084Thread sleep time: -2399657s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084Thread sleep time: -2399547s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084Thread sleep time: -2399436s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084Thread sleep time: -2399328s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084Thread sleep time: -2399219s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084Thread sleep time: -2399110s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084Thread sleep time: -2398969s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084Thread sleep time: -2398844s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084Thread sleep time: -2398726s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084Thread sleep time: -2398625s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084Thread sleep time: -2398516s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084Thread sleep time: -2398391s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084Thread sleep time: -2398031s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084Thread sleep time: -2397922s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084Thread sleep time: -2397813s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084Thread sleep time: -2397688s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084Thread sleep time: -2397563s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084Thread sleep time: -2397453s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084Thread sleep time: -2397340s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084Thread sleep time: -2397234s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084Thread sleep time: -2397125s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084Thread sleep time: -2397016s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084Thread sleep time: -2396891s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084Thread sleep time: -2396782s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084Thread sleep time: -2396657s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084Thread sleep time: -2396532s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084Thread sleep time: -2396420s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084Thread sleep time: -2396309s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084Thread sleep time: -2396203s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084Thread sleep time: -2396094s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084Thread sleep time: -2395979s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084Thread sleep time: -2395875s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084Thread sleep time: -2395762s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084Thread sleep time: -2395641s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084Thread sleep time: -2395516s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084Thread sleep time: -2395391s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084Thread sleep time: -2395282s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084Thread sleep time: -2395157s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084Thread sleep time: -2395032s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084Thread sleep time: -2394918s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084Thread sleep time: -2394803s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084Thread sleep time: -2394686s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084Thread sleep time: -2394578s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084Thread sleep time: -2394469s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084Thread sleep time: -2394344s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084Thread sleep time: -2394234s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 2084Thread sleep time: -2394124s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 5044Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600Thread sleep time: -25825441703193356s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600Thread sleep time: -2400000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 5156Thread sleep count: 2312 > 30
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600Thread sleep time: -2399887s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 5156Thread sleep count: 7541 > 30
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600Thread sleep time: -2399776s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600Thread sleep time: -2399656s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600Thread sleep time: -2399545s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600Thread sleep time: -2399437s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600Thread sleep time: -2399328s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600Thread sleep time: -2399218s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600Thread sleep time: -2399109s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600Thread sleep time: -2399000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600Thread sleep time: -2398890s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600Thread sleep time: -2398780s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600Thread sleep time: -2398671s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600Thread sleep time: -2398561s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600Thread sleep time: -2398453s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600Thread sleep time: -2398343s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600Thread sleep time: -2398234s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600Thread sleep time: -2398122s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600Thread sleep time: -2398015s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600Thread sleep time: -2397906s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600Thread sleep time: -2397796s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600Thread sleep time: -2397687s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600Thread sleep time: -2397578s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600Thread sleep time: -2397466s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600Thread sleep time: -2397355s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600Thread sleep time: -2397234s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600Thread sleep time: -2397125s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600Thread sleep time: -2397015s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600Thread sleep time: -2396906s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600Thread sleep time: -2396796s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600Thread sleep time: -2396685s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600Thread sleep time: -2396578s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600Thread sleep time: -2396468s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600Thread sleep time: -2396359s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600Thread sleep time: -2396250s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600Thread sleep time: -2396140s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600Thread sleep time: -2396030s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600Thread sleep time: -2395921s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600Thread sleep time: -2395812s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600Thread sleep time: -2395703s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600Thread sleep time: -2395593s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600Thread sleep time: -2395484s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600Thread sleep time: -2395374s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600Thread sleep time: -2395265s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600Thread sleep time: -2395156s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600Thread sleep time: -2395046s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600Thread sleep time: -2394937s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600Thread sleep time: -2394828s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600Thread sleep time: -2394718s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600Thread sleep time: -2394609s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exe TID: 4600Thread sleep time: -2394500s >= -30000s
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2400000Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2399890Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2399781Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2399670Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2399547Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2399437Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2399327Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2399217Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2399094Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2398969Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2398860Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2398735Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2398610Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2398485Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2398344Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2398234Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2398125Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2398014Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2397891Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2397766Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2397656Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2397547Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2397438Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2397313Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2397188Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2397078Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2396969Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2396844Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2396735Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2396610Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2396496Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2396389Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2396262Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2396156Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2396045Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2395933Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2395813Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2395703Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2395591Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2395469Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2395360Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2395235Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2395110Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2394985Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2394860Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2394749Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2394640Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2394531Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2394422Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeThread delayed: delay time: 2394281Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2400000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2399891Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2399781Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2399657Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2399547Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2399436Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2399328Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2399219Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2399110Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2398969Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2398844Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2398726Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2398625Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2398516Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2398391Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2398031Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2397922Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2397813Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2397688Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2397563Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2397453Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2397340Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2397234Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2397125Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2397016Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2396891Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2396782Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2396657Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2396532Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2396420Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2396309Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2396203Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2396094Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2395979Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2395875Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2395762Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2395641Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2395516Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2395391Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2395282Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2395157Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2395032Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2394918Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2394803Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2394686Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2394578Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2394469Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2394344Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2394234Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2394124Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2400000
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2399887
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2399776
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2399656
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2399545
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2399437
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2399328
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2399218
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2399109
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2399000
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2398890
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2398780
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2398671
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2398561
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2398453
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2398343
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2398234
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2398122
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2398015
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2397906
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2397796
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2397687
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2397578
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2397466
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2397355
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2397234
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2397125
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2397015
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2396906
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2396796
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2396685
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2396578
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2396468
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2396359
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2396250
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2396140
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2396030
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2395921
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2395812
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2395703
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2395593
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2395484
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2395374
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2395265
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2395156
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2395046
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2394937
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2394828
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2394718
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2394609
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeThread delayed: delay time: 2394500
                    Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000004.00000002.4577974413.00000000061A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllJ
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe"
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe"Jump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeMemory written: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeMemory written: C:\Users\user\AppData\Roaming\skyT\skyT.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeMemory written: C:\Users\user\AppData\Roaming\skyT\skyT.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeProcess created: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe "C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess created: C:\Users\user\AppData\Roaming\skyT\skyT.exe "C:\Users\user\AppData\Roaming\skyT\skyT.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeProcess created: C:\Users\user\AppData\Roaming\skyT\skyT.exe "C:\Users\user\AppData\Roaming\skyT\skyT.exe"Jump to behavior
                    Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000004.00000002.4573708134.0000000002C71000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR
                    Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000004.00000002.4573708134.0000000002CDD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Time: 07/23/2024 16:41:09<br>User Name: user<br>Computer Name: 141700<br>OSFullName: Microsoft Windows 10 Pro<br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br><hr><b>[ Program Manager]</b> (23/05/2024 11:20:44)<br>{Win}r{Win}r
                    Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000004.00000002.4573708134.0000000002C71000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000004.00000002.4573708134.0000000002C71000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q3<b>[ Program Manager]</b> (23/05/2024 11:20:44)<br>
                    Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000004.00000002.4573708134.0000000002C71000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q?<b>[ Program Manager]</b> (23/05/2024 11:20:44)<br>{Win}r{Win}rTH
                    Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000004.00000002.4573708134.0000000002C71000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q><b>[ Program Manager]</b> (23/05/2024 11:20:44)<br>{Win}r{Win}TH
                    Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000004.00000002.4573708134.0000000002C71000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q9<b>[ Program Manager]</b> (23/05/2024 11:20:44)<br>{Win}rTH
                    Source: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000004.00000002.4573708134.0000000002C71000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q8<b>[ Program Manager]</b> (23/05/2024 11:20:44)<br>{Win}TH
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeQueries volume information: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeQueries volume information: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeQueries volume information: C:\Users\user\AppData\Roaming\skyT\skyT.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeQueries volume information: C:\Users\user\AppData\Roaming\skyT\skyT.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeQueries volume information: C:\Users\user\AppData\Roaming\skyT\skyT.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeQueries volume information: C:\Users\user\AppData\Roaming\skyT\skyT.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 6.2.skyT.exe.4558350.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.skyT.exe.451d730.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.442d690.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.skyT.exe.3b41b18.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.skyT.exe.3b41b18.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44682b0.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.skyT.exe.4558350.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.skyT.exe.3bb8bd0.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.skyT.exe.3bb8bd0.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.skyT.exe.451d730.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44682b0.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.442d690.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000002.2357943673.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2357943673.0000000003BB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.4569543128.0000000000430000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2137030214.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.2295766136.000000000451D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2137030214.000000000442D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe PID: 4232, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: skyT.exe PID: 2036, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: skyT.exe PID: 1396, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: skyT.exe PID: 1020, type: MEMORYSTR
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Users\user\AppData\Roaming\skyT\skyT.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: Yara matchFile source: 6.2.skyT.exe.4558350.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.skyT.exe.451d730.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.442d690.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.skyT.exe.3b41b18.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.skyT.exe.3b41b18.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44682b0.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.skyT.exe.4558350.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.skyT.exe.3bb8bd0.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.skyT.exe.3bb8bd0.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.skyT.exe.451d730.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44682b0.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.442d690.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000002.2357943673.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2357943673.0000000003BB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.4569543128.0000000000430000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2137030214.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.2295766136.000000000451D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.4573886453.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2137030214.000000000442D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.4574644878.000000000322B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.4573708134.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe PID: 4232, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe PID: 3160, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: skyT.exe PID: 2036, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: skyT.exe PID: 1396, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: skyT.exe PID: 1020, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: skyT.exe PID: 1656, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 6.2.skyT.exe.4558350.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.skyT.exe.451d730.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.442d690.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.skyT.exe.3b41b18.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.skyT.exe.3b41b18.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44682b0.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.skyT.exe.4558350.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.skyT.exe.3bb8bd0.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.skyT.exe.3bb8bd0.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.skyT.exe.451d730.9.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.44682b0.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.442d690.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000002.2357943673.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2357943673.0000000003BB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.4569543128.0000000000430000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2137030214.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.2295766136.000000000451D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2137030214.000000000442D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe PID: 4232, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: skyT.exe PID: 2036, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: skyT.exe PID: 1396, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: skyT.exe PID: 1020, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		1
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/Job1
                    Registry Run Keys / Startup Folder                    		112
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		21
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol1
                    Data from Local System                    		1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    Registry Run Keys / Startup Folder                    		3
                    Obfuscated Files or Information                    		Security Account Manager211
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                    Software Packing                    		NTDS2
                    Process Discovery                    		Distributed Component Object Model21
                    Input Capture                    		11
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets141
                    Virtualization/Sandbox Evasion                    		SSH1
                    Clipboard Data                    		Fallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Masquerading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                    Virtualization/Sandbox Evasion                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job112
                    Process Injection                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                    Hidden Files and Directories                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1446056 Sample: 739077083533. FedEX_1310097... Startdate: 22/05/2024 Architecture: WINDOWS Score: 100 32 mail.adgumrukmusavirligi.com 2->32 34 adgumrukmusavirligi.com 2->34 48 Snort IDS alert for network traffic 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 13 other signatures 2->54 8 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe 4 2->8         started        11 skyT.exe 3 2->11         started        13 skyT.exe 2 2->13         started        signatures3 process4 signatures5 56 Adds a directory exclusion to Windows Defender 8->56 58 Injects a PE file into a foreign processes 8->58 15 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe 1 5 8->15         started        20 powershell.exe 22 8->20         started        60 Antivirus detection for dropped file 11->60 62 Multi AV Scanner detection for dropped file 11->62 64 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->64 66 Machine Learning detection for dropped file 11->66 22 skyT.exe 2 11->22         started        24 skyT.exe 13->24         started        process6 dnsIp7 36 adgumrukmusavirligi.com 94.199.206.42, 587, 60100, 60101 AEROTEK-ASTR Turkey 15->36 28 C:\Users\user\AppData\Roaming\skyT\skyT.exe, PE32 15->28 dropped 30 C:\Users\user\...\skyT.exe:Zone.Identifier, ASCII 15->30 dropped 38 Tries to steal Mail credentials (via file / registry access) 15->38 40 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->40 42 Installs a global keyboard hook 15->42 44 Loading BitLocker PowerShell Module 20->44 26 conhost.exe 20->26         started        46 Tries to harvest and steal browser information (history, passwords, etc) 24->46 file8 signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe32%ReversingLabsWin32.Trojan.Generic
                    739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe100%AviraTR/AD.GenSteal.xzcol
                    739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\skyT\skyT.exe100%AviraTR/AD.GenSteal.xzcol
                    C:\Users\user\AppData\Roaming\skyT\skyT.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\skyT\skyT.exe32%ReversingLabsWin32.Trojan.Generic

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://account.dyn.com/0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://mail.adgumrukmusavirligi.com0%Avira URL Cloudsafe
                    http://adgumrukmusavirligi.com0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    adgumrukmusavirligi.com
                    		94.199.206.42
                    		truetrue
                      		unknown
                      mail.adgumrukmusavirligi.com
                      		unknown
                      		unknowntrue
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://mail.adgumrukmusavirligi.com739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000004.00000002.4573708134.0000000002CDD000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://adgumrukmusavirligi.com739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000004.00000002.4573708134.0000000002CDD000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://account.dyn.com/739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000000.00000002.2137030214.000000000442D000.00000004.00000800.00020000.00000000.sdmp, 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000000.00000002.2137030214.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, skyT.exe, 00000006.00000002.2295766136.000000000451D000.00000004.00000800.00020000.00000000.sdmp, skyT.exe, 00000007.00000002.4569543128.0000000000430000.00000040.00000400.00020000.00000000.sdmp, skyT.exe, 00000009.00000002.2357943673.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, skyT.exe, 00000009.00000002.2357943673.0000000003BB8000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe, 00000000.00000002.2136429481.000000000315D000.00000004.00000800.00020000.00000000.sdmp, skyT.exe, 00000006.00000002.2294417914.000000000324D000.00000004.00000800.00020000.00000000.sdmp, skyT.exe, 00000009.00000002.2353162012.00000000028B0000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        94.199.206.42
                        		adgumrukmusavirligi.comTurkey
                        		42807AEROTEK-ASTRtrue

                        General Information

                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1446056
                        Start date and time:2024-05-22 22:00:40 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 10m 47s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:17
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe
                        Detection:MAL
                        Classification:mal100.troj.spyw.evad.winEXE@12/9@1/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 99%
                        • Number of executed functions: 246
                        • Number of non-executed functions: 11
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                        Warnings

                        • Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
                        • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtCreateKey calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                        • VT rate limit hit for: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        16:01:29API Interceptor5224998x Sleep call for process: 739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe modified
                        16:01:31API Interceptor9x Sleep call for process: powershell.exe modified
                        16:01:43API Interceptor8288603x Sleep call for process: skyT.exe modified
                        22:01:34AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run skyT C:\Users\user\AppData\Roaming\skyT\skyT.exe
                        22:01:43AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run skyT C:\Users\user\AppData\Roaming\skyT\skyT.exe

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        94.199.206.42024 - PT MARGATEK_ SETYATAMA PO 13100976 _20.05.2024 %100%_jpg .exeGet hashmaliciousAgentTeslaBrowse
                          #U0130#U015eLEM #U00d6ZET#U0130_20524057699-1034 nolu TICARI.exeGet hashmaliciousAgentTeslaBrowse
                            Siparis. #PO000867000960 AZTEK Order _ BIRLESIM NEKS A.s 14.05.2024 .exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                              x7VYkFQt3J.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                a2hghg40qH.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                  Siparis. 000867000960 AZTEK Order _ TEKNIKSAT A.s 08.05.2024 .exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                    OsGKwfqamz.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      Fiyat teklifi. SERYAPIM #U0130N#U015e. 2023 YILI M#U0130ZAN.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        Fiyat teklifi. YILMAZ #U0130N#U015e A,s. 07052024 YILI M#U0130ZAN Sip PO-00901 .exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                          YILMAZ - Turkey siparis_Fiyat teklif 0058118592 - VANTUZ.xlsx.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            AEROTEK-ASTR024 - PT MARGATEK_ SETYATAMA PO 13100976 _20.05.2024 %100%_jpg .exeGet hashmaliciousAgentTeslaBrowse
                                            • 94.199.206.42
                                            oae7jKW2lr.exeGet hashmaliciousAgentTeslaBrowse
                                            • 109.232.216.54
                                            #U0130#U015eLEM #U00d6ZET#U0130_20524057699-1034 nolu TICARI.exeGet hashmaliciousAgentTeslaBrowse
                                            • 94.199.206.42
                                            F#U0130YAT TEKL#U0130F #U0130STE#U011e#U0130.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                            • 109.232.216.54
                                            F#U0130YAT TEKL#U0130F #U0130STE#U011e#U0130.exeGet hashmaliciousAgentTeslaBrowse
                                            • 109.232.216.54
                                            F#U0130YAT TALEB#U0130.exeGet hashmaliciousAgentTeslaBrowse
                                            • 109.232.216.54
                                            Siparis. #PO000867000960 AZTEK Order _ BIRLESIM NEKS A.s 14.05.2024 .exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                            • 94.199.206.42
                                            F#U0130YAT TEKL#U0130F #U0130STE#U011e#U0130.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                            • 109.232.216.54
                                            x7VYkFQt3J.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                            • 94.199.206.42
                                            a2hghg40qH.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                            • 94.199.206.42

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe.log

                                            Download File
                                            Process:C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1216
                                            Entropy (8bit):5.34331486778365
                                            Encrypted:false
                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                            Malicious:false
                                            Reputation:high, very likely benign file
                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\skyT.exe.log

                                            Download File
                                            Process:C:\Users\user\AppData\Roaming\skyT\skyT.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):1216
                                            Entropy (8bit):5.34331486778365
                                            Encrypted:false
                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                            Malicious:false
                                            Reputation:high, very likely benign file
                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):1172
                                            Entropy (8bit):5.357042452875322
                                            Encrypted:false
                                            SSDEEP:24:3CytZWSKco4KmZjKbm51s4RPT6moUebIKo+mZ9t7J0gt/NKIl9r+q:yyjWSU4xymI4RfoUeW+mZ9tK8ND3
                                            MD5:827C68C8F65D2B0800E6791B34AB6D2E
                                            SHA1:151BC96F9C26C53E02D2E0DA64995A462D0C3B4E
                                            SHA-256:6B22A727792EC2ACE1BC27BF00BECBBD842902F2FD0FC813CF45A21A986377D5
                                            SHA-512:67E9E89C531B2CDF47FCBBA3F036EA66427631A8EBF287A26DD35AFB114AF6E2D945304CBF72B94358245FEED658F9BA6E19B29879AE6488D8DC7A143DCC146D
                                            Malicious:false
                                            Reputation:moderate, very likely benign file
                                            Preview:@...e.................................^..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gdqkews5.pfg.ps1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Reputation:high, very likely benign file
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lusoxbnx.xvu.psm1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sxmetalv.zzq.ps1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y4dq2nki.fh1.psm1

                                            Download File
                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.038920595031593
                                            Encrypted:false
                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                            Malicious:false
                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                            C:\Users\user\AppData\Roaming\skyT\skyT.exe

                                            Download File
                                            Process:C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe
                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Category:dropped
                                            Size (bytes):686080
                                            Entropy (8bit):7.956438273738751
                                            Encrypted:false
                                            SSDEEP:12288:yfz4TLzf3S3WNDTOlZhMAKA/9hdW3GTTdxfCu5SY3+Uln+MymlyblNQbf:2z4TLzf3OWZiVMAz/9PWmTuuY/zmlyhS
                                            MD5:784BA798F9AA395A8ED0CD2D1E557320
                                            SHA1:D368D6B2507F3523702B855A19F0B6EB8380320B
                                            SHA-256:3979EB243225878A1331722D77EEB7D5937691A9E81322BFE24F5AE23AA855F6
                                            SHA-512:9C806128DA404126FCCDCE4E26E087D4121C80CDC7E23D29B5FE1DFA068A9E1DCAD91D7F36C6C62885BA676D88E63C39906BF7BABC4CE15994A4891770BA208B
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Avira, Detection: 100%
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            • Antivirus: ReversingLabs, Detection: 32%
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A.Mf.................d............... ........@.. ....................................@.................................`...K.................................................................................... ............... ..H............text....c... ...d.................. ..`.rsrc................f..............@..@.reloc...............v..............@..B........................H........<...F......U....................................................0..A....... .........%.C...(.....D... .........%.I...(.....J...(....*.....&*.....s....}.....s....}.....s....}.....r...p}....+..(.....(....*.0..........~D.....~J..........E....s...Q.......5...s.......Q...s......r...po.....r...po.....rq..po........ <~..Y..+..r...po.....o.....@.......+..o......o......{.....o.......8j....o....(........(....+......E........................+..s......+.+......E............k...B

                                            C:\Users\user\AppData\Roaming\skyT\skyT.exe:Zone.Identifier

                                            Download File
                                            Process:C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):26
                                            Entropy (8bit):3.95006375643621
                                            Encrypted:false
                                            SSDEEP:3:ggPYV:rPYV
                                            MD5:187F488E27DB4AF347237FE461A079AD
                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                            Malicious:true
                                            Preview:[ZoneTransfer]....ZoneId=0

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Entropy (8bit):7.956438273738751
                                            TrID:
                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                            • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                            File name:739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe
                                            File size:686'080 bytes
                                            MD5:784ba798f9aa395a8ed0cd2d1e557320
                                            SHA1:d368d6b2507f3523702b855a19f0b6eb8380320b
                                            SHA256:3979eb243225878a1331722d77eeb7d5937691a9e81322bfe24f5ae23aa855f6
                                            SHA512:9c806128da404126fccdce4e26e087d4121c80cdc7e23d29b5fe1dfa068a9e1dcad91d7f36c6c62885ba676d88e63c39906bf7babc4ce15994a4891770ba208b
                                            SSDEEP:12288:yfz4TLzf3S3WNDTOlZhMAKA/9hdW3GTTdxfCu5SY3+Uln+MymlyblNQbf:2z4TLzf3OWZiVMAz/9PWmTuuY/zmlyhS
                                            TLSH:39E4230CBBB569D3C46E83F7E579811647B492903A47D2CD9EDA78924EA7F0841C3F0A
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A.Mf.................d............... ........@.. ....................................@................................

                                            File Icon

                                            Icon Hash:c04e363636261032

                                            Static PE Info

                                            General

                                            Entrypoint:0x4a83ae
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                            Time Stamp:0x664DB441 [Wed May 22 09:00:49 2024 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                            Entrypoint Preview

                                            Instruction
                                            jmp dword ptr [00402000h]
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xa83600x4b.text
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xaa0000x1000.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xac0000xc.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x20000xa63b40xa64007888ff0d39e68f5867e78035596f827aFalse0.9693300634398496data7.964960726010625IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .rsrc0xaa0000x10000x1000fb1b9bb7c4b14cc80126d54162f0ead0False0.64794921875data5.904582185307584IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0xac0000xc0x2009ca65768d02e50b08a273ee2bb7ad986False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            RT_ICON0xaa1000x7f0PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9281496062992126
                                            RT_GROUP_ICON0xaa9000x14data1.05
                                            RT_VERSION0xaa9240x344data0.43301435406698563
                                            RT_MANIFEST0xaac780x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                            Imports

                                            DLLImport
                                            mscoree.dll_CorExeMain

                                            Network Behavior

                                            Snort IDS Alerts

                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                            05/22/24-22:03:11.679391TCP2030171ET TROJAN AgentTesla Exfil Via SMTP60101587192.168.2.694.199.206.42
                                            05/22/24-22:03:11.679391TCP2839723ETPRO TROJAN Win32/Agent Tesla SMTP Activity60101587192.168.2.694.199.206.42

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            May 22, 2024 22:03:07.303745985 CEST60100587192.168.2.694.199.206.42
                                            May 22, 2024 22:03:07.308881998 CEST5876010094.199.206.42192.168.2.6
                                            May 22, 2024 22:03:07.309473991 CEST60100587192.168.2.694.199.206.42
                                            May 22, 2024 22:03:08.017620087 CEST60100587192.168.2.694.199.206.42
                                            May 22, 2024 22:03:08.023134947 CEST5876010094.199.206.42192.168.2.6
                                            May 22, 2024 22:03:08.039237976 CEST60101587192.168.2.694.199.206.42
                                            May 22, 2024 22:03:08.044187069 CEST5876010094.199.206.42192.168.2.6
                                            May 22, 2024 22:03:08.044246912 CEST60100587192.168.2.694.199.206.42
                                            May 22, 2024 22:03:08.049159050 CEST5876010194.199.206.42192.168.2.6
                                            May 22, 2024 22:03:08.049232960 CEST60101587192.168.2.694.199.206.42
                                            May 22, 2024 22:03:09.116610050 CEST5876010194.199.206.42192.168.2.6
                                            May 22, 2024 22:03:09.118518114 CEST60101587192.168.2.694.199.206.42
                                            May 22, 2024 22:03:09.128329039 CEST5876010194.199.206.42192.168.2.6
                                            May 22, 2024 22:03:09.343836069 CEST5876010194.199.206.42192.168.2.6
                                            May 22, 2024 22:03:09.392146111 CEST60101587192.168.2.694.199.206.42
                                            May 22, 2024 22:03:10.318700075 CEST60101587192.168.2.694.199.206.42
                                            May 22, 2024 22:03:10.323971987 CEST5876010194.199.206.42192.168.2.6
                                            May 22, 2024 22:03:10.539211988 CEST5876010194.199.206.42192.168.2.6
                                            May 22, 2024 22:03:10.540031910 CEST60101587192.168.2.694.199.206.42
                                            May 22, 2024 22:03:10.544924021 CEST5876010194.199.206.42192.168.2.6
                                            May 22, 2024 22:03:10.762968063 CEST5876010194.199.206.42192.168.2.6
                                            May 22, 2024 22:03:10.763569117 CEST60101587192.168.2.694.199.206.42
                                            May 22, 2024 22:03:10.768475056 CEST5876010194.199.206.42192.168.2.6
                                            May 22, 2024 22:03:10.983319044 CEST5876010194.199.206.42192.168.2.6
                                            May 22, 2024 22:03:10.983717918 CEST60101587192.168.2.694.199.206.42
                                            May 22, 2024 22:03:10.988784075 CEST5876010194.199.206.42192.168.2.6
                                            May 22, 2024 22:03:11.456026077 CEST5876010194.199.206.42192.168.2.6
                                            May 22, 2024 22:03:11.456681967 CEST60101587192.168.2.694.199.206.42
                                            May 22, 2024 22:03:11.462352037 CEST5876010194.199.206.42192.168.2.6
                                            May 22, 2024 22:03:11.678024054 CEST5876010194.199.206.42192.168.2.6
                                            May 22, 2024 22:03:11.679390907 CEST60101587192.168.2.694.199.206.42
                                            May 22, 2024 22:03:11.679390907 CEST60101587192.168.2.694.199.206.42
                                            May 22, 2024 22:03:11.679390907 CEST60101587192.168.2.694.199.206.42
                                            May 22, 2024 22:03:11.679390907 CEST60101587192.168.2.694.199.206.42
                                            May 22, 2024 22:03:11.684441090 CEST5876010194.199.206.42192.168.2.6
                                            May 22, 2024 22:03:11.689301968 CEST5876010194.199.206.42192.168.2.6
                                            May 22, 2024 22:03:11.735330105 CEST5876010194.199.206.42192.168.2.6
                                            May 22, 2024 22:03:11.735344887 CEST5876010194.199.206.42192.168.2.6
                                            May 22, 2024 22:03:12.069333076 CEST5876010194.199.206.42192.168.2.6
                                            May 22, 2024 22:03:12.144575119 CEST60101587192.168.2.694.199.206.42
                                            May 22, 2024 22:04:48.161341906 CEST60101587192.168.2.694.199.206.42
                                            May 22, 2024 22:04:48.166588068 CEST5876010194.199.206.42192.168.2.6
                                            May 22, 2024 22:04:48.585601091 CEST5876010194.199.206.42192.168.2.6
                                            May 22, 2024 22:04:48.585730076 CEST60101587192.168.2.694.199.206.42
                                            May 22, 2024 22:04:48.590565920 CEST5876010194.199.206.42192.168.2.6
                                            May 22, 2024 22:04:48.590673923 CEST60101587192.168.2.694.199.206.42
                                            May 22, 2024 22:04:48.595614910 CEST5876010194.199.206.42192.168.2.6

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            May 22, 2024 22:01:48.448775053 CEST53515261.1.1.1192.168.2.6
                                            May 22, 2024 22:01:49.931037903 CEST53593091.1.1.1192.168.2.6
                                            May 22, 2024 22:03:06.961353064 CEST4938753192.168.2.61.1.1.1
                                            May 22, 2024 22:03:07.291306973 CEST53493871.1.1.1192.168.2.6

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            May 22, 2024 22:03:06.961353064 CEST192.168.2.61.1.1.10x35ecStandard query (0)mail.adgumrukmusavirligi.comA (IP address)IN (0x0001)false

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            May 22, 2024 22:03:07.291306973 CEST1.1.1.1192.168.2.60x35ecNo error (0)mail.adgumrukmusavirligi.comadgumrukmusavirligi.comCNAME (Canonical name)IN (0x0001)false
                                            May 22, 2024 22:03:07.291306973 CEST1.1.1.1192.168.2.60x35ecNo error (0)adgumrukmusavirligi.com94.199.206.42A (IP address)IN (0x0001)false

                                            SMTP Packets

                                            TimestampSource PortDest PortSource IPDest IPCommands
                                            May 22, 2024 22:03:09.116610050 CEST5876010194.199.206.42192.168.2.6220-srvc41.turhost.com ESMTP Exim 4.97.1 #2 Wed, 22 May 2024 23:03:07 +0300
                                            220-We do not authorize the use of this system to transport unsolicited,
                                            220 and/or bulk e-mail.
                                            May 22, 2024 22:03:09.118518114 CEST60101587192.168.2.694.199.206.42EHLO 141700
                                            May 22, 2024 22:03:09.343836069 CEST5876010194.199.206.42192.168.2.6250-srvc41.turhost.com Hello 141700 [8.46.123.175]
                                            250-SIZE 52428800
                                            250-8BITMIME
                                            250-PIPELINING
                                            250-PIPECONNECT
                                            250-AUTH PLAIN LOGIN
                                            250-STARTTLS
                                            250 HELP
                                            May 22, 2024 22:03:10.318700075 CEST60101587192.168.2.694.199.206.42AUTH login Z2l6ZW1jZXZpa0BhZGd1bXJ1a211c2F2aXJsaWdpLmNvbQ==
                                            May 22, 2024 22:03:10.539211988 CEST5876010194.199.206.42192.168.2.6334 UGFzc3dvcmQ6
                                            May 22, 2024 22:03:10.762968063 CEST5876010194.199.206.42192.168.2.6235 Authentication succeeded
                                            May 22, 2024 22:03:10.763569117 CEST60101587192.168.2.694.199.206.42MAIL FROM:<gizemcevik@adgumrukmusavirligi.com>
                                            May 22, 2024 22:03:10.983319044 CEST5876010194.199.206.42192.168.2.6250 OK
                                            May 22, 2024 22:03:10.983717918 CEST60101587192.168.2.694.199.206.42RCPT TO:<obikachikezienelson19@gmail.com>
                                            May 22, 2024 22:03:11.456026077 CEST5876010194.199.206.42192.168.2.6250 Accepted
                                            May 22, 2024 22:03:11.456681967 CEST60101587192.168.2.694.199.206.42DATA
                                            May 22, 2024 22:03:11.678024054 CEST5876010194.199.206.42192.168.2.6354 Enter message, ending with "." on a line by itself
                                            May 22, 2024 22:03:11.679390907 CEST60101587192.168.2.694.199.206.42.
                                            May 22, 2024 22:03:12.069333076 CEST5876010194.199.206.42192.168.2.6250 OK id=1s9sB4-00000003a0Q-2I1w
                                            May 22, 2024 22:04:48.161341906 CEST60101587192.168.2.694.199.206.42QUIT
                                            May 22, 2024 22:04:48.585601091 CEST5876010194.199.206.42192.168.2.6221 srvc41.turhost.com closing connection

                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:16:01:29
                                            Start date:22/05/2024
                                            Path:C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe"
                                            Imagebase:0xdc0000
                                            File size:686'080 bytes
                                            MD5 hash:784BA798F9AA395A8ED0CD2D1E557320
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2137030214.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2137030214.0000000004D52000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2137030214.000000000442D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2137030214.000000000442D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:3
                                            Start time:16:01:30
                                            Start date:22/05/2024
                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe"
                                            Imagebase:0xc00000
                                            File size:433'152 bytes
                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:4
                                            Start time:16:01:30
                                            Start date:22/05/2024
                                            Path:C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\739077083533. FedEX_13100976 _20.05.2024 %100%_jpg.exe"
                                            Imagebase:0x8e0000
                                            File size:686'080 bytes
                                            MD5 hash:784BA798F9AA395A8ED0CD2D1E557320
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4573708134.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:low
                                            Has exited:false

                                            General

                                            Target ID:5
                                            Start time:16:01:30
                                            Start date:22/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff66e660000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:6
                                            Start time:16:01:43
                                            Start date:22/05/2024
                                            Path:C:\Users\user\AppData\Roaming\skyT\skyT.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\AppData\Roaming\skyT\skyT.exe"
                                            Imagebase:0xd90000
                                            File size:686'080 bytes
                                            MD5 hash:784BA798F9AA395A8ED0CD2D1E557320
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2295766136.000000000451D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2295766136.000000000451D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Antivirus matches:
                                            • Detection: 100%, Avira
                                            • Detection: 100%, Joe Sandbox ML
                                            • Detection: 32%, ReversingLabs
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:7
                                            Start time:16:01:45
                                            Start date:22/05/2024
                                            Path:C:\Users\user\AppData\Roaming\skyT\skyT.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\AppData\Roaming\skyT\skyT.exe"
                                            Imagebase:0xab0000
                                            File size:686'080 bytes
                                            MD5 hash:784BA798F9AA395A8ED0CD2D1E557320
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.4569543128.0000000000430000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.4569543128.0000000000430000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.4573886453.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:low
                                            Has exited:false

                                            General

                                            Target ID:9
                                            Start time:16:01:51
                                            Start date:22/05/2024
                                            Path:C:\Users\user\AppData\Roaming\skyT\skyT.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\AppData\Roaming\skyT\skyT.exe"
                                            Imagebase:0x3e0000
                                            File size:686'080 bytes
                                            MD5 hash:784BA798F9AA395A8ED0CD2D1E557320
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2357943673.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2357943673.0000000003B41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2357943673.0000000003BB8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2357943673.0000000003BB8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:10
                                            Start time:16:01:51
                                            Start date:22/05/2024
                                            Path:C:\Users\user\AppData\Roaming\skyT\skyT.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\AppData\Roaming\skyT\skyT.exe"
                                            Imagebase:0xd70000
                                            File size:686'080 bytes
                                            MD5 hash:784BA798F9AA395A8ED0CD2D1E557320
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.4574644878.000000000322B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:low
                                            Has exited:false

                                            Disassembly

                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:9.6%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:218
                                              Total number of Limit Nodes:14
                                              execution_graph 26197 73c9aee 26198 73c9809 26197->26198 26199 73c988c 26197->26199 26198->26197 26198->26199 26202 73cb080 26198->26202 26220 73cb071 26198->26220 26199->26199 26203 73cb09a 26202->26203 26211 73cb0be 26203->26211 26238 73cb795 26203->26238 26243 73cb554 26203->26243 26248 73cb8b4 26203->26248 26252 73cb4fb 26203->26252 26257 73cb5dd 26203->26257 26262 73cb5c3 26203->26262 26267 73cb789 26203->26267 26272 73cb768 26203->26272 26277 73cb488 26203->26277 26281 73cb56f 26203->26281 26286 73cb50f 26203->26286 26291 73cba2f 26203->26291 26296 73cb613 26203->26296 26301 73cb4d7 26203->26301 26306 73cb6f7 26203->26306 26211->26199 26221 73cb080 26220->26221 26222 73cb0be 26221->26222 26223 73cb5dd 2 API calls 26221->26223 26224 73cb4fb 2 API calls 26221->26224 26225 73cb8b4 2 API calls 26221->26225 26226 73cb554 2 API calls 26221->26226 26227 73cb795 2 API calls 26221->26227 26228 73cb6f7 4 API calls 26221->26228 26229 73cb4d7 2 API calls 26221->26229 26230 73cb613 2 API calls 26221->26230 26231 73cba2f 2 API calls 26221->26231 26232 73cb50f 2 API calls 26221->26232 26233 73cb56f 2 API calls 26221->26233 26234 73cb488 2 API calls 26221->26234 26235 73cb768 2 API calls 26221->26235 26236 73cb789 2 API calls 26221->26236 26237 73cb5c3 2 API calls 26221->26237 26222->26199 26223->26222 26224->26222 26225->26222 26226->26222 26227->26222 26228->26222 26229->26222 26230->26222 26231->26222 26232->26222 26233->26222 26234->26222 26235->26222 26236->26222 26237->26222 26240 73cb4e3 26238->26240 26239 73cbe52 26239->26211 26239->26239 26240->26211 26240->26239 26313 73c8b28 26240->26313 26317 73c8b20 26240->26317 26244 73cb87a 26243->26244 26321 73c8bd8 26244->26321 26325 73c8bd1 26244->26325 26245 73cb895 26329 73c8d68 26248->26329 26333 73c8d70 26248->26333 26249 73cb8d8 26249->26211 26253 73cb508 26252->26253 26255 73c8d68 WriteProcessMemory 26253->26255 26256 73c8d70 WriteProcessMemory 26253->26256 26254 73cb9ac 26255->26254 26256->26254 26258 73cba88 26257->26258 26337 73c8ca8 26258->26337 26341 73c8cb0 26258->26341 26259 73cbaa9 26263 73cb9cb 26262->26263 26345 73c8e58 26263->26345 26349 73c8e60 26263->26349 26264 73cb7f7 26264->26211 26268 73cb4e3 26267->26268 26268->26211 26268->26267 26269 73cbe52 26268->26269 26270 73c8b28 ResumeThread 26268->26270 26271 73c8b20 ResumeThread 26268->26271 26269->26211 26269->26269 26270->26268 26271->26268 26274 73cb4e3 26272->26274 26273 73cbe52 26273->26211 26273->26273 26274->26211 26274->26273 26275 73c8b28 ResumeThread 26274->26275 26276 73c8b20 ResumeThread 26274->26276 26275->26274 26276->26274 26353 73c93ed 26277->26353 26357 73c93f8 26277->26357 26278 73cb4b8 26282 73cb4e3 26281->26282 26282->26211 26283 73cbe52 26282->26283 26284 73c8b28 ResumeThread 26282->26284 26285 73c8b20 ResumeThread 26282->26285 26283->26211 26283->26283 26284->26282 26285->26282 26287 73cb4e3 26286->26287 26287->26211 26288 73cbe52 26287->26288 26289 73c8b28 ResumeThread 26287->26289 26290 73c8b20 ResumeThread 26287->26290 26288->26211 26288->26288 26289->26287 26290->26287 26292 73cba52 26291->26292 26294 73c8d68 WriteProcessMemory 26292->26294 26295 73c8d70 WriteProcessMemory 26292->26295 26293 73cbdf8 26294->26293 26295->26293 26297 73cb4e3 26296->26297 26297->26211 26298 73cbe52 26297->26298 26299 73c8b28 ResumeThread 26297->26299 26300 73c8b20 ResumeThread 26297->26300 26298->26211 26298->26298 26299->26297 26300->26297 26302 73cb4e3 26301->26302 26302->26211 26303 73cbe52 26302->26303 26304 73c8b28 ResumeThread 26302->26304 26305 73c8b20 ResumeThread 26302->26305 26303->26211 26303->26303 26304->26302 26305->26302 26311 73c8bd8 Wow64SetThreadContext 26306->26311 26312 73c8bd1 Wow64SetThreadContext 26306->26312 26307 73cb4e3 26307->26211 26308 73cbe52 26307->26308 26309 73c8b28 ResumeThread 26307->26309 26310 73c8b20 ResumeThread 26307->26310 26308->26211 26308->26308 26309->26307 26310->26307 26311->26307 26312->26307 26314 73c8b68 ResumeThread 26313->26314 26316 73c8b99 26314->26316 26316->26240 26318 73c8b28 ResumeThread 26317->26318 26320 73c8b99 26318->26320 26320->26240 26322 73c8c1d Wow64SetThreadContext 26321->26322 26324 73c8c65 26322->26324 26324->26245 26326 73c8bd8 Wow64SetThreadContext 26325->26326 26328 73c8c65 26326->26328 26328->26245 26330 73c8d70 WriteProcessMemory 26329->26330 26332 73c8e0f 26330->26332 26332->26249 26334 73c8db8 WriteProcessMemory 26333->26334 26336 73c8e0f 26334->26336 26336->26249 26338 73c8cb0 VirtualAllocEx 26337->26338 26340 73c8d2d 26338->26340 26340->26259 26342 73c8cf0 VirtualAllocEx 26341->26342 26344 73c8d2d 26342->26344 26344->26259 26346 73c8e60 ReadProcessMemory 26345->26346 26348 73c8eef 26346->26348 26348->26264 26350 73c8eab ReadProcessMemory 26349->26350 26352 73c8eef 26350->26352 26352->26264 26354 73c93f8 CreateProcessA 26353->26354 26356 73c9643 26354->26356 26358 73c9481 CreateProcessA 26357->26358 26360 73c9643 26358->26360 26361 17cd6e8 DuplicateHandle 26362 17cd77e 26361->26362 26363 17cd4a0 26364 17cd4e6 GetCurrentProcess 26363->26364 26366 17cd538 GetCurrentThread 26364->26366 26367 17cd531 26364->26367 26368 17cd56e 26366->26368 26369 17cd575 GetCurrentProcess 26366->26369 26367->26366 26368->26369 26370 17cd5ab 26369->26370 26371 17cd5d3 GetCurrentThreadId 26370->26371 26372 17cd604 26371->26372 26373 73cc210 26374 73cc39b 26373->26374 26376 73cc236 26373->26376 26376->26374 26377 73c90c4 26376->26377 26378 73cc490 PostMessageW 26377->26378 26379 73cc4fc 26378->26379 26379->26376 26380 17c4a90 26381 17c4a99 26380->26381 26382 17c4a9f 26381->26382 26386 17c4b89 26381->26386 26391 17c4624 26382->26391 26384 17c4aba 26387 17c4bad 26386->26387 26395 17c4c98 26387->26395 26399 17c4c89 26387->26399 26392 17c462f 26391->26392 26407 17c5fdc 26392->26407 26394 17c73c7 26394->26384 26396 17c4cbf 26395->26396 26397 17c4d9c 26396->26397 26403 17c4874 26396->26403 26400 17c4c98 26399->26400 26401 17c4874 CreateActCtxA 26400->26401 26402 17c4d9c 26400->26402 26401->26402 26404 17c5d28 CreateActCtxA 26403->26404 26406 17c5deb 26404->26406 26408 17c5fe7 26407->26408 26411 17c5ffc 26408->26411 26410 17c746d 26410->26394 26412 17c6007 26411->26412 26415 17c602c 26412->26415 26414 17c7542 26414->26410 26416 17c6037 26415->26416 26419 17c605c 26416->26419 26418 17c7645 26418->26414 26420 17c6067 26419->26420 26422 17c8a2b 26420->26422 26425 17cb0d8 26420->26425 26421 17c8a69 26421->26418 26422->26421 26429 17cd1c8 26422->26429 26434 17cb0ff 26425->26434 26438 17cb110 26425->26438 26426 17cb0ee 26426->26422 26430 17cd1f9 26429->26430 26431 17cd21d 26430->26431 26461 17cd388 26430->26461 26465 17cd377 26430->26465 26431->26421 26435 17cb110 26434->26435 26441 17cb208 26435->26441 26436 17cb11f 26436->26426 26440 17cb208 2 API calls 26438->26440 26439 17cb11f 26439->26426 26440->26439 26442 17cb219 26441->26442 26443 17cb23c 26441->26443 26442->26443 26449 17cb491 26442->26449 26453 17cb4a0 26442->26453 26443->26436 26444 17cb234 26444->26443 26445 17cb440 GetModuleHandleW 26444->26445 26446 17cb46d 26445->26446 26446->26436 26450 17cb4a0 26449->26450 26451 17cb4d9 26450->26451 26457 17cac10 26450->26457 26451->26444 26454 17cb4b4 26453->26454 26455 17cac10 LoadLibraryExW 26454->26455 26456 17cb4d9 26454->26456 26455->26456 26456->26444 26458 17cb680 LoadLibraryExW 26457->26458 26460 17cb6f9 26458->26460 26460->26451 26462 17cd395 26461->26462 26464 17cd3cf 26462->26464 26469 17ccf68 26462->26469 26464->26431 26466 17cd395 26465->26466 26467 17cd3cf 26466->26467 26468 17ccf68 2 API calls 26466->26468 26467->26431 26468->26467 26470 17ccf73 26469->26470 26472 17cdce0 26470->26472 26473 17cd094 26470->26473 26472->26472 26474 17cd09f 26473->26474 26475 17c605c 2 API calls 26474->26475 26476 17cdd4f 26475->26476 26476->26472 26477 73c9b42 26478 73c9b4d 26477->26478 26480 73cb080 12 API calls 26478->26480 26481 73cb071 12 API calls 26478->26481 26479 73c9b58 26480->26479 26481->26479

                                              Executed Functions

                                              Function 073CB392 Relevance: .1, Instructions: 123COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2139734407.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73c0000_739077083533.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 428ac68a8a4576ccac86cf5b0cc9589a3139813ece01c739d7ffbc2ec192711e
                                              • Instruction ID: 2392e5058ce5b666fa03610d09da7b1b853c388d626dc04117a1c0ebb4a17a7e
                                              • Opcode Fuzzy Hash: 428ac68a8a4576ccac86cf5b0cc9589a3139813ece01c739d7ffbc2ec192711e
                                              • Instruction Fuzzy Hash: F751DAF1D157198BEB24CF66C8453DAFBBAAFC9300F14D1AAC40DA6611EB741A85CF40
                                              Function 017CD490 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetCurrentProcess.KERNEL32 ref: 017CD51E
                                              • GetCurrentThread.KERNEL32 ref: 017CD55B
                                              • GetCurrentProcess.KERNEL32 ref: 017CD598
                                              • GetCurrentThreadId.KERNEL32 ref: 017CD5F1
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2136163227.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_17c0000_739077083533.jbxd
                                              Similarity
                                              • API ID: Current$ProcessThread
                                              • String ID:
                                              • API String ID: 2063062207-0
                                              • Opcode ID: 92b6ab85b30fa753ab745f6974ed482da1ed5b52d12c34f0b91ae4835c3c5587
                                              • Instruction ID: 3b8d22a868c058338a2fee79fcc7f4e2750941bb9783ff6f28deb829a61ebf75
                                              • Opcode Fuzzy Hash: 92b6ab85b30fa753ab745f6974ed482da1ed5b52d12c34f0b91ae4835c3c5587
                                              • Instruction Fuzzy Hash: 595155B09003099FDB14CFA9D948BAEFBF1AF88314F20846DE519A7390DB74A944CF65
                                              Function 017CD4A0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetCurrentProcess.KERNEL32 ref: 017CD51E
                                              • GetCurrentThread.KERNEL32 ref: 017CD55B
                                              • GetCurrentProcess.KERNEL32 ref: 017CD598
                                              • GetCurrentThreadId.KERNEL32 ref: 017CD5F1
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2136163227.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_17c0000_739077083533.jbxd
                                              Similarity
                                              • API ID: Current$ProcessThread
                                              • String ID:
                                              • API String ID: 2063062207-0
                                              • Opcode ID: 7f636a313721e10866fa0e570640121598b43762950001e382d8d71dbeca7108
                                              • Instruction ID: df29ab5b49c374b68e1f586baf80df3e5af88efe070c602e5c41d044c66e81d9
                                              • Opcode Fuzzy Hash: 7f636a313721e10866fa0e570640121598b43762950001e382d8d71dbeca7108
                                              • Instruction Fuzzy Hash: 9F5164B09003098FDB14CFA9D548BAEFFF1AF88314F20846DE419A7250DB74A944CB65
                                              Function 073C93ED Relevance: 1.7, APIs: 1, Instructions: 249processCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 45 73c93ed-73c948d 48 73c948f-73c9499 45->48 49 73c94c6-73c94e6 45->49 48->49 50 73c949b-73c949d 48->50 56 73c951f-73c954e 49->56 57 73c94e8-73c94f2 49->57 51 73c949f-73c94a9 50->51 52 73c94c0-73c94c3 50->52 54 73c94ad-73c94bc 51->54 55 73c94ab 51->55 52->49 54->54 58 73c94be 54->58 55->54 65 73c9587-73c9641 CreateProcessA 56->65 66 73c9550-73c955a 56->66 57->56 59 73c94f4-73c94f6 57->59 58->52 60 73c94f8-73c9502 59->60 61 73c9519-73c951c 59->61 63 73c9504 60->63 64 73c9506-73c9515 60->64 61->56 63->64 64->64 67 73c9517 64->67 77 73c964a-73c96d0 65->77 78 73c9643-73c9649 65->78 66->65 68 73c955c-73c955e 66->68 67->61 70 73c9560-73c956a 68->70 71 73c9581-73c9584 68->71 72 73c956c 70->72 73 73c956e-73c957d 70->73 71->65 72->73 73->73 75 73c957f 73->75 75->71 88 73c96e0-73c96e4 77->88 89 73c96d2-73c96d6 77->89 78->77 91 73c96f4-73c96f8 88->91 92 73c96e6-73c96ea 88->92 89->88 90 73c96d8 89->90 90->88 93 73c9708-73c970c 91->93 94 73c96fa-73c96fe 91->94 92->91 95 73c96ec 92->95 97 73c971e-73c9725 93->97 98 73c970e-73c9714 93->98 94->93 96 73c9700 94->96 95->91 96->93 99 73c973c 97->99 100 73c9727-73c9736 97->100 98->97 102 73c973d 99->102 100->99 102->102
                                              APIs
                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 073C962E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2139734407.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73c0000_739077083533.jbxd
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: d981d3d80c158aa5efb8328da476892621481a2758a9a1830eb2f9403d68982d
                                              • Instruction ID: a65e46a40b9415f225426377da420ae5efd16aa75774f82e5eca82d8313fc681
                                              • Opcode Fuzzy Hash: d981d3d80c158aa5efb8328da476892621481a2758a9a1830eb2f9403d68982d
                                              • Instruction Fuzzy Hash: 72A15DB1D0021ADFEF24CF68C8417DDBBB2BF48314F1585A9E909A7280DB759985CF91
                                              Function 073C93F8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 103 73c93f8-73c948d 105 73c948f-73c9499 103->105 106 73c94c6-73c94e6 103->106 105->106 107 73c949b-73c949d 105->107 113 73c951f-73c954e 106->113 114 73c94e8-73c94f2 106->114 108 73c949f-73c94a9 107->108 109 73c94c0-73c94c3 107->109 111 73c94ad-73c94bc 108->111 112 73c94ab 108->112 109->106 111->111 115 73c94be 111->115 112->111 122 73c9587-73c9641 CreateProcessA 113->122 123 73c9550-73c955a 113->123 114->113 116 73c94f4-73c94f6 114->116 115->109 117 73c94f8-73c9502 116->117 118 73c9519-73c951c 116->118 120 73c9504 117->120 121 73c9506-73c9515 117->121 118->113 120->121 121->121 124 73c9517 121->124 134 73c964a-73c96d0 122->134 135 73c9643-73c9649 122->135 123->122 125 73c955c-73c955e 123->125 124->118 127 73c9560-73c956a 125->127 128 73c9581-73c9584 125->128 129 73c956c 127->129 130 73c956e-73c957d 127->130 128->122 129->130 130->130 132 73c957f 130->132 132->128 145 73c96e0-73c96e4 134->145 146 73c96d2-73c96d6 134->146 135->134 148 73c96f4-73c96f8 145->148 149 73c96e6-73c96ea 145->149 146->145 147 73c96d8 146->147 147->145 150 73c9708-73c970c 148->150 151 73c96fa-73c96fe 148->151 149->148 152 73c96ec 149->152 154 73c971e-73c9725 150->154 155 73c970e-73c9714 150->155 151->150 153 73c9700 151->153 152->148 153->150 156 73c973c 154->156 157 73c9727-73c9736 154->157 155->154 159 73c973d 156->159 157->156 159->159
                                              APIs
                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 073C962E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2139734407.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73c0000_739077083533.jbxd
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: 1b0e236a6499eb6f5187f162189c66ce60872d7f96b09be600f6097146b3abf8
                                              • Instruction ID: f3f196cbaf816f791a9437cb1f4110649358b34e09cd887cfadb3c97609a2362
                                              • Opcode Fuzzy Hash: 1b0e236a6499eb6f5187f162189c66ce60872d7f96b09be600f6097146b3abf8
                                              • Instruction Fuzzy Hash: F9915DB1D0021ADFEF14CF68C8417DDBBB2BF48314F1585A9E908A7280DB759985CF91
                                              Function 017CB208 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 160 17cb208-17cb217 161 17cb219-17cb226 call 17cabac 160->161 162 17cb243-17cb247 160->162 167 17cb23c 161->167 168 17cb228 161->168 163 17cb249-17cb253 162->163 164 17cb25b-17cb29c 162->164 163->164 171 17cb29e-17cb2a6 164->171 172 17cb2a9-17cb2b7 164->172 167->162 216 17cb22e call 17cb4a0 168->216 217 17cb22e call 17cb491 168->217 171->172 174 17cb2b9-17cb2be 172->174 175 17cb2db-17cb2dd 172->175 173 17cb234-17cb236 173->167 178 17cb378-17cb438 173->178 176 17cb2c9 174->176 177 17cb2c0-17cb2c7 call 17cabb8 174->177 179 17cb2e0-17cb2e7 175->179 181 17cb2cb-17cb2d9 176->181 177->181 211 17cb43a-17cb43d 178->211 212 17cb440-17cb46b GetModuleHandleW 178->212 182 17cb2e9-17cb2f1 179->182 183 17cb2f4-17cb2fb 179->183 181->179 182->183 185 17cb2fd-17cb305 183->185 186 17cb308-17cb311 call 17cabc8 183->186 185->186 191 17cb31e-17cb323 186->191 192 17cb313-17cb31b 186->192 194 17cb325-17cb32c 191->194 195 17cb341-17cb345 191->195 192->191 194->195 196 17cb32e-17cb33e call 17cabd8 call 17cabe8 194->196 218 17cb348 call 17cb7a0 195->218 219 17cb348 call 17cb790 195->219 196->195 199 17cb34b-17cb34e 201 17cb350-17cb36e 199->201 202 17cb371-17cb377 199->202 201->202 211->212 213 17cb46d-17cb473 212->213 214 17cb474-17cb488 212->214 213->214 216->173 217->173 218->199 219->199
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 017CB45E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2136163227.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_17c0000_739077083533.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: fa6deb0836ad64e752d01d999e3090f9cfb1591d5ea6386644d0c32f7c03dde1
                                              • Instruction ID: 3588156c6a924d593138a31b993850ddd0b2f432fbcdaf988070b94c40c08fe8
                                              • Opcode Fuzzy Hash: fa6deb0836ad64e752d01d999e3090f9cfb1591d5ea6386644d0c32f7c03dde1
                                              • Instruction Fuzzy Hash: 58711270A00B098FD724DF6AD44575AFBF2FF88744F008A2DE58A97A40DB74E805CB91
                                              Function 017C4874 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 220 17c4874-17c5de9 CreateActCtxA 223 17c5deb-17c5df1 220->223 224 17c5df2-17c5e4c 220->224 223->224 231 17c5e4e-17c5e51 224->231 232 17c5e5b-17c5e5f 224->232 231->232 233 17c5e70 232->233 234 17c5e61-17c5e6d 232->234 235 17c5e71 233->235 234->233 235->235
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 017C5DD9
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2136163227.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_17c0000_739077083533.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: e45f3c903d8da183e45a70dd39e790ef183cb61f7a35e9dd5910d1b83c48b5cd
                                              • Instruction ID: d957cb35bbc6aec5303c2875e642f4c37dd62b8c58d900639476a673203d912b
                                              • Opcode Fuzzy Hash: e45f3c903d8da183e45a70dd39e790ef183cb61f7a35e9dd5910d1b83c48b5cd
                                              • Instruction Fuzzy Hash: 1341EFB0D0071DCBDB24DFA9C984B9EFBB5BF48704F60816AD408AB251DB756946CF90
                                              Function 017C5D1C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 237 17c5d1c-17c5de9 CreateActCtxA 239 17c5deb-17c5df1 237->239 240 17c5df2-17c5e4c 237->240 239->240 247 17c5e4e-17c5e51 240->247 248 17c5e5b-17c5e5f 240->248 247->248 249 17c5e70 248->249 250 17c5e61-17c5e6d 248->250 251 17c5e71 249->251 250->249 251->251
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 017C5DD9
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2136163227.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_17c0000_739077083533.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: 5a8d3d5d9a24b157b094677dfd022729562e2c3cc7ae3d6a962fe0e970aa1164
                                              • Instruction ID: 7132068dff6af888ef6af0f5c4bc82c6dfff04095dbcaa44b904348a8687b06f
                                              • Opcode Fuzzy Hash: 5a8d3d5d9a24b157b094677dfd022729562e2c3cc7ae3d6a962fe0e970aa1164
                                              • Instruction Fuzzy Hash: 7B41FFB0C0071DCBEB24DFA9C884B9EFBB5BF48704F20816AD408AB251DB756946CF50
                                              Function 073C8D68 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 253 73c8d68-73c8dbe 256 73c8dce-73c8e0d WriteProcessMemory 253->256 257 73c8dc0-73c8dcc 253->257 259 73c8e0f-73c8e15 256->259 260 73c8e16-73c8e46 256->260 257->256 259->260
                                              APIs
                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 073C8E00
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2139734407.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73c0000_739077083533.jbxd
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID:
                                              • API String ID: 3559483778-0
                                              • Opcode ID: 5e5fb327c477eb99c432b4d48890c1776c4af995d47bd73716bfb71240b72d9c
                                              • Instruction ID: 83ca93e69ee813dfb2d2eeceffaf274e126b6165ed4bc882351d4022302e48f0
                                              • Opcode Fuzzy Hash: 5e5fb327c477eb99c432b4d48890c1776c4af995d47bd73716bfb71240b72d9c
                                              • Instruction Fuzzy Hash: 1B2117B5900349DFDB10CFA9C885BDEBBF5BF48314F10882AE519A7241C7789950CBA5
                                              Function 073C8D70 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 264 73c8d70-73c8dbe 266 73c8dce-73c8e0d WriteProcessMemory 264->266 267 73c8dc0-73c8dcc 264->267 269 73c8e0f-73c8e15 266->269 270 73c8e16-73c8e46 266->270 267->266 269->270
                                              APIs
                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 073C8E00
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2139734407.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73c0000_739077083533.jbxd
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID:
                                              • API String ID: 3559483778-0
                                              • Opcode ID: c4f69a0d28026c7041cdc8d70497982e40c5f4763730c6a6cc24e4443ae87974
                                              • Instruction ID: d29b8b7b025519661e8c487bcd790e493c39fe029cbb62288935d3ee4324a9e3
                                              • Opcode Fuzzy Hash: c4f69a0d28026c7041cdc8d70497982e40c5f4763730c6a6cc24e4443ae87974
                                              • Instruction Fuzzy Hash: C62126B590034ADFDB10CFA9C885BDEBBF5FF48310F108429E918A7240C7789950CBA4
                                              Function 073C8E58 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 274 73c8e58-73c8eed ReadProcessMemory 278 73c8eef-73c8ef5 274->278 279 73c8ef6-73c8f26 274->279 278->279
                                              APIs
                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 073C8EE0
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2139734407.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73c0000_739077083533.jbxd
                                              Similarity
                                              • API ID: MemoryProcessRead
                                              • String ID:
                                              • API String ID: 1726664587-0
                                              • Opcode ID: 8da26528d21ad363f4575696e3325eab14e49f80852fd2028c80e2ca88fa287c
                                              • Instruction ID: 0c85f220d7bf9120f7d8389b37cb6705b0fc01ca295f1cb23b9f0f9add03f4d8
                                              • Opcode Fuzzy Hash: 8da26528d21ad363f4575696e3325eab14e49f80852fd2028c80e2ca88fa287c
                                              • Instruction Fuzzy Hash: 552119B18003499FDB10CFAAC885ADEBBF5FF48324F10842AE518A7250C7799950CBA5
                                              Function 073C8BD1 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 283 73c8bd1-73c8c23 286 73c8c25-73c8c31 283->286 287 73c8c33-73c8c63 Wow64SetThreadContext 283->287 286->287 289 73c8c6c-73c8c9c 287->289 290 73c8c65-73c8c6b 287->290 290->289
                                              APIs
                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 073C8C56
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2139734407.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73c0000_739077083533.jbxd
                                              Similarity
                                              • API ID: ContextThreadWow64
                                              • String ID:
                                              • API String ID: 983334009-0
                                              • Opcode ID: 36d6b365683f6e4cef4a99eaa3f9215efb55e8cf3e1f235eab4c2c0f5d755547
                                              • Instruction ID: 77f4c3c2d1f34c20aa3944ab943f1e1b0249c5c5c6995127b81ee08e409e8fcc
                                              • Opcode Fuzzy Hash: 36d6b365683f6e4cef4a99eaa3f9215efb55e8cf3e1f235eab4c2c0f5d755547
                                              • Instruction Fuzzy Hash: DF2137B19003099FEB10DFAAC4857EEFBF4AF88224F14842AD559A7240CB789945CFA5
                                              Function 017CD6E1 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 294 17cd6e1-17cd6e6 295 17cd6e8-17cd77c DuplicateHandle 294->295 296 17cd77e-17cd784 295->296 297 17cd785-17cd7a2 295->297 296->297
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 017CD76F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2136163227.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_17c0000_739077083533.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 8c1684ddbf6f6a08e79862f996d765f72bb06025467adc9f2f543239209ed71f
                                              • Instruction ID: d6f6830195148a76c7f120b826307ca18c4e4d3d41e438251f5212a100e83c5a
                                              • Opcode Fuzzy Hash: 8c1684ddbf6f6a08e79862f996d765f72bb06025467adc9f2f543239209ed71f
                                              • Instruction Fuzzy Hash: 6B21E3B5900249EFDB10CF9AD984ADEFBF4FB48724F24842AE914A3250D374A950CFA0
                                              Function 073C8E60 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 310 73c8e60-73c8eed ReadProcessMemory 313 73c8eef-73c8ef5 310->313 314 73c8ef6-73c8f26 310->314 313->314
                                              APIs
                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 073C8EE0
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2139734407.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73c0000_739077083533.jbxd
                                              Similarity
                                              • API ID: MemoryProcessRead
                                              • String ID:
                                              • API String ID: 1726664587-0
                                              • Opcode ID: 7e8b11ca21602a6d46ca6b7bbf471b0c91542e0f79f193d0455f02750b046010
                                              • Instruction ID: daa080403db1cf90131d9dd8873effd1b4547e25329534c97a518cd524cac16f
                                              • Opcode Fuzzy Hash: 7e8b11ca21602a6d46ca6b7bbf471b0c91542e0f79f193d0455f02750b046010
                                              • Instruction Fuzzy Hash: 7421E6B19003599FDB10DFAAC881ADEBBF5FF48310F108429E519A7250D7799950CBA5
                                              Function 073C8BD8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 300 73c8bd8-73c8c23 302 73c8c25-73c8c31 300->302 303 73c8c33-73c8c63 Wow64SetThreadContext 300->303 302->303 305 73c8c6c-73c8c9c 303->305 306 73c8c65-73c8c6b 303->306 306->305
                                              APIs
                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 073C8C56
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2139734407.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73c0000_739077083533.jbxd
                                              Similarity
                                              • API ID: ContextThreadWow64
                                              • String ID:
                                              • API String ID: 983334009-0
                                              • Opcode ID: deb318d020de25807c0452319471ae103523d2cdc844354b51eee9e4bb0d4772
                                              • Instruction ID: ef9ad04a73305c934fe59667c9ca8ad3908342d813a9a70df9a439d131edfedf
                                              • Opcode Fuzzy Hash: deb318d020de25807c0452319471ae103523d2cdc844354b51eee9e4bb0d4772
                                              • Instruction Fuzzy Hash: 772107B19003099FEB10DFAAC4857EEBBF4AF88224F148429D559A7240DB789945CFA5
                                              Function 017CD6E8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 318 17cd6e8-17cd77c DuplicateHandle 319 17cd77e-17cd784 318->319 320 17cd785-17cd7a2 318->320 319->320
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 017CD76F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2136163227.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_17c0000_739077083533.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: c4528b7a54428cceae1ebef0ac11546ea4a7bbc19d79eafdb4aaad2cf195e11f
                                              • Instruction ID: 8713dd333810df7182521ccb96168192eb6492afa5e34a01c65b0849d3440a8a
                                              • Opcode Fuzzy Hash: c4528b7a54428cceae1ebef0ac11546ea4a7bbc19d79eafdb4aaad2cf195e11f
                                              • Instruction Fuzzy Hash: 1521E3B59002499FDB10CF9AD984ADEFBF4FB48320F14841AE914A3210D374A950CFA0
                                              Function 073C8CA8 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 073C8D1E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2139734407.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73c0000_739077083533.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: 704368cb55f5e1164452d4c525a23b96be72e92d58434ab0509cbe9f5f89d75c
                                              • Instruction ID: 331e03fc44f2976a05c93aba653d1cfe01fa586ef996859f30b396ca6640f335
                                              • Opcode Fuzzy Hash: 704368cb55f5e1164452d4c525a23b96be72e92d58434ab0509cbe9f5f89d75c
                                              • Instruction Fuzzy Hash: D9115C768002499FDF10CFA9C845BDFBBF5EF48324F108819E519A7250C775A950CFA1
                                              Function 017CAC10 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,017CB4D9,00000800,00000000,00000000), ref: 017CB6EA
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2136163227.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_17c0000_739077083533.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 78b4325abe97ff070e01e2ad5410c2c06ef5821469ff8c75edc7188bce235613
                                              • Instruction ID: 203b3a33d1c0ef49761ec545b3766dfe1b3c4fe79b6147c41d1ee3de078972b7
                                              • Opcode Fuzzy Hash: 78b4325abe97ff070e01e2ad5410c2c06ef5821469ff8c75edc7188bce235613
                                              • Instruction Fuzzy Hash: E31103B68042499FDB10CF9AD844A9EFBF8AB48720F10846EE919A7200C3B5A544CFA4
                                              Function 017CB679 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,017CB4D9,00000800,00000000,00000000), ref: 017CB6EA
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2136163227.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_17c0000_739077083533.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 50cf9591644b5f1fbd077585a2c5822bb5f77ac95d9857310f5d3c658454fffc
                                              • Instruction ID: e6474cd0709cd967dede75324ba44020cff662abff354fb738808a37d55cb0b6
                                              • Opcode Fuzzy Hash: 50cf9591644b5f1fbd077585a2c5822bb5f77ac95d9857310f5d3c658454fffc
                                              • Instruction Fuzzy Hash: 061112B68003498FDB10CF9AD885B9EFBF8EB88724F14842EE519B7200C375A545CFA4
                                              Function 073C8CB0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 073C8D1E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2139734407.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73c0000_739077083533.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: f2a92a39aedcbd07c0c22b304a6f9e6c360e6b048a6f8bb518ab06a614186b24
                                              • Instruction ID: 8df0d7a55ad232f23d8f9a3d9f347432b1a65cd008b69d53c0999acc3e8f5036
                                              • Opcode Fuzzy Hash: f2a92a39aedcbd07c0c22b304a6f9e6c360e6b048a6f8bb518ab06a614186b24
                                              • Instruction Fuzzy Hash: 721156728002499FDB10CFAAC845BDFBBF5AF88320F208819E519A7250C775A910CFA0
                                              Function 073C8B20 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2139734407.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73c0000_739077083533.jbxd
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID:
                                              • API String ID: 947044025-0
                                              • Opcode ID: 783e2e3b8f589f1e5e418a8ccb26f082ed826bcf96799e29702b5c8bc2e89eb3
                                              • Instruction ID: 19cfeb6aee3cc7c85832c46c2cf7b12ddbdc911a1d127863cd414ada7517f0ef
                                              • Opcode Fuzzy Hash: 783e2e3b8f589f1e5e418a8ccb26f082ed826bcf96799e29702b5c8bc2e89eb3
                                              • Instruction Fuzzy Hash: 02115BB19003498FDB20DFAAC4457DEFBF4AF88324F24841AD519A7240CB75A940CF95
                                              Function 073C8B28 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2139734407.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73c0000_739077083533.jbxd
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID:
                                              • API String ID: 947044025-0
                                              • Opcode ID: d5d6b7327246141c0fc952a1de44d76eaa732cf68a6c7ae9b30d880ad84c7af7
                                              • Instruction ID: f812709e1253630802ec07cc3d297c664fefb644902e21d8fb753b54e6fc06d6
                                              • Opcode Fuzzy Hash: d5d6b7327246141c0fc952a1de44d76eaa732cf68a6c7ae9b30d880ad84c7af7
                                              • Instruction Fuzzy Hash: 32113AB1900349CFDB10DFAAC4457DEFBF4AF88724F248419D519A7240CB75A940CF95
                                              Function 017CB3F8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 017CB45E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2136163227.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_17c0000_739077083533.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: c7443e5af5c994ae9f9cc62ec9561747f26d2c306f536fcf0c6fcb6146996eb2
                                              • Instruction ID: d074024fe4918c1492afbc69e707216e2fdf95736510f091a70bc63c98a0da1f
                                              • Opcode Fuzzy Hash: c7443e5af5c994ae9f9cc62ec9561747f26d2c306f536fcf0c6fcb6146996eb2
                                              • Instruction Fuzzy Hash: 4511DFB6C046498FDB10CF9AC445A9EFBF8AB88724F10846ED529A7210D379A645CFA1
                                              Function 073CC488 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 073CC4ED
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2139734407.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73c0000_739077083533.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: 1100d2ecd84df21d3fba65d63e24eab2635a5bf5d1b61a9b692c3313cf62d9de
                                              • Instruction ID: 46a523886b5d2a7c00e6b1d6d2a68a8bdb71a9ac4e8148d8c8cc9801b81dc58f
                                              • Opcode Fuzzy Hash: 1100d2ecd84df21d3fba65d63e24eab2635a5bf5d1b61a9b692c3313cf62d9de
                                              • Instruction Fuzzy Hash: 191122B58003499FDB20CF9AC885BDEFBF8EB48320F208449E518A7200D375A944CFA1
                                              Function 073C90C4 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 073CC4ED
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2139734407.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73c0000_739077083533.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: a2c40a6fc277edf476c8b5a8f294b4265770fc4a96f9a183800bcf60780182b3
                                              • Instruction ID: 7bb235721776f7c3458c38e7dfe59a3e57bc2b1d508735a5c4622a924f9d8119
                                              • Opcode Fuzzy Hash: a2c40a6fc277edf476c8b5a8f294b4265770fc4a96f9a183800bcf60780182b3
                                              • Instruction Fuzzy Hash: 1011F2B5800359DFDB10DF9AC485BEEFBF8EB48324F208459E518A7210D3B5A944CFA5
                                              Function 017CB721 Relevance: 1.5, APIs: 1, Instructions: 44libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,017CB4D9,00000800,00000000,00000000), ref: 017CB6EA
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2136163227.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_17c0000_739077083533.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 9360f9406402357694aa03eea2480cd4d6f957577aba847d4e5d90b066d842dd
                                              • Instruction ID: 55f93f59c9f17ce22f94d8cca2aaa050ff8def17b7abd47615f5dfeb41592e04
                                              • Opcode Fuzzy Hash: 9360f9406402357694aa03eea2480cd4d6f957577aba847d4e5d90b066d842dd
                                              • Instruction Fuzzy Hash: 9201A2B29003099FDB109B9DD8097DAFBE8EF94764F04802EE609E3250C7B99450CB65
                                              Function 0174D01C Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2135762446.000000000174D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_174d000_739077083533.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7f0b99f667ea8e991303b14289119b2b53cd9108522b337455fa715d3c3bcd14
                                              • Instruction ID: da0bf47ffa911e01c7947fccdef67a0396d012f8aab1071403e769a05aff8d12
                                              • Opcode Fuzzy Hash: 7f0b99f667ea8e991303b14289119b2b53cd9108522b337455fa715d3c3bcd14
                                              • Instruction Fuzzy Hash: 63212275604204EFDB25DF94D9C4B26FB61FB98314F20C5ADD98A0B262C37AD407CA61
                                              Function 0174D017 Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2135762446.000000000174D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0174D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_174d000_739077083533.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                              • Instruction ID: 7d3c335310694a2994bf4feadc6bb415bc54cd4276fda4435175ed2a68db4224
                                              • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                              • Instruction Fuzzy Hash: 3F11DD75504284CFCB26CF54D5C4B15FFA2FB88314F24C6AED8494B666C33AD40ACBA2
                                              Function 0173D759 Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2135688890.000000000173D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_173d000_739077083533.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d4af4b3bbe61ca436342e2a1b4538a531338d7b0ce6652fbf2a2d9c0d7e2cdd7
                                              • Instruction ID: 7a20bb10fc780a8c4e19fa392aa94b22f4998087d56e64fce9238c055ca94914
                                              • Opcode Fuzzy Hash: d4af4b3bbe61ca436342e2a1b4538a531338d7b0ce6652fbf2a2d9c0d7e2cdd7
                                              • Instruction Fuzzy Hash: D7012671004380DAF7324BA9CD84B66FFD8EFC1324F58C45AEE080A287C7B89840CAB1
                                              Function 0173D758 Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2135688890.000000000173D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_173d000_739077083533.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4035b9c9fd7c1247a4276948c8d66805e3acc62c213a83c62c6dc7b0cf7cedf6
                                              • Instruction ID: b636c8ab716812c556b1fed437a33c56ddb4d69d2defb02f6b9aeb856629d6af
                                              • Opcode Fuzzy Hash: 4035b9c9fd7c1247a4276948c8d66805e3acc62c213a83c62c6dc7b0cf7cedf6
                                              • Instruction Fuzzy Hash: 16F062714053849EE7218A5ADD84B62FFA8EF91734F18C45AED485B287C379A844CAB1

                                              Non-executed Functions

                                              Function 073CE120 Relevance: 1.7, Strings: 1, Instructions: 432COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2139734407.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73c0000_739077083533.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: }Y<
                                              • API String ID: 0-4108299924
                                              • Opcode ID: fb4cf2429cc2c9ea9d46c80a9e63ed4f169b740973568ae796859a0454645eb5
                                              • Instruction ID: 2dba8dacfb8f2c27807ff7b63439b0311ee2f897638c1f7a46092e7d2bdb5df9
                                              • Opcode Fuzzy Hash: fb4cf2429cc2c9ea9d46c80a9e63ed4f169b740973568ae796859a0454645eb5
                                              • Instruction Fuzzy Hash: CBF1BCB0B412198FEB15DBB5C454BAEB7F6AF89700F14846DD109EB294DB34DE01CB51
                                              Function 073C8300 Relevance: .3, Instructions: 312COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2139734407.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73c0000_739077083533.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6dfddbddedb1bbe8057b5383c72a162bf19615074928cfd27766c0086255ca4a
                                              • Instruction ID: 4e25cd5e292a8a7e8ddc148bd221c44e57af17585cc899bd8531cb7488543272
                                              • Opcode Fuzzy Hash: 6dfddbddedb1bbe8057b5383c72a162bf19615074928cfd27766c0086255ca4a
                                              • Instruction Fuzzy Hash: B5E10AB4E002598FDB14DFA9C580AAEFBB2FF89304F248169D518AB355D734AD42CF61
                                              Function 073C63E8 Relevance: .3, Instructions: 312COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2139734407.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73c0000_739077083533.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e6d7803626962e498c40eee6f681ac96e9c7882e3c1468e7b00bac41d29b1f4f
                                              • Instruction ID: cc58a476c09ac384c266bc223437e1391cb77de15c184c7c12c7dfaa1627f65a
                                              • Opcode Fuzzy Hash: e6d7803626962e498c40eee6f681ac96e9c7882e3c1468e7b00bac41d29b1f4f
                                              • Instruction Fuzzy Hash: 5CE1F9B4E00259CFDB14DFA9C581AAEBBB2FF89304F248169D418AB355D734AD42CF61
                                              Function 073C5FB0 Relevance: .3, Instructions: 312COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2139734407.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73c0000_739077083533.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ba23b521b30691e37b4e401c92a909fd63715c020ce1fb2941798640b91005a5
                                              • Instruction ID: aa8dceadd22a6e5f808812c721fdd9dfb624d70abd979d34bd8151818ca8a377
                                              • Opcode Fuzzy Hash: ba23b521b30691e37b4e401c92a909fd63715c020ce1fb2941798640b91005a5
                                              • Instruction Fuzzy Hash: F9E10AB4E00259CFDB14DFA9C581AAEBBB2FF89304F248269D408A7355D735AD42CF61
                                              Function 073C7EC8 Relevance: .3, Instructions: 312COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2139734407.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73c0000_739077083533.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7d2007e244e5e29621b2e8572873ee42aa99ef11e4ed75a86a58bc248ce5db52
                                              • Instruction ID: ed673791dfad554fac33db00853afe854c668cc43562c6be768997ca0a2e1d30
                                              • Opcode Fuzzy Hash: 7d2007e244e5e29621b2e8572873ee42aa99ef11e4ed75a86a58bc248ce5db52
                                              • Instruction Fuzzy Hash: 16E1E9B4E002598FDB14DFA9C580AAEBBF2FF89304F248269D418A7355D734AD42CF61
                                              Function 073C7A90 Relevance: .3, Instructions: 312COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2139734407.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73c0000_739077083533.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: dfc061444bd9af6dd4a85eadbf03dce42bd5cad63b9cb7144924b73f7243e7dd
                                              • Instruction ID: 75c932aef2b9833e4c3d1de812a326a7f3701819a401b07de265d7b81d3b1063
                                              • Opcode Fuzzy Hash: dfc061444bd9af6dd4a85eadbf03dce42bd5cad63b9cb7144924b73f7243e7dd
                                              • Instruction Fuzzy Hash: 2EE1EBB4E102598FDB14DFA9C580AAEFBB2FF89304F248169D818A7355D734AD42CF61
                                              Function 017CE02C Relevance: .3, Instructions: 264COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2136163227.00000000017C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_17c0000_739077083533.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2166bed92ac3171405fbae13fe5f534cf50fff8547546949945d217fca8b462d
                                              • Instruction ID: 12a73bda2fabcc70de45133803f45278ea7dfd94c3ab9682384b46ae11e6a8c4
                                              • Opcode Fuzzy Hash: 2166bed92ac3171405fbae13fe5f534cf50fff8547546949945d217fca8b462d
                                              • Instruction Fuzzy Hash: A5A14B32E0021A8FCF05DFB4C84459EFBB2FF84700B25856EE905AB265DB75E956CB90
                                              Function 073C82F0 Relevance: .1, Instructions: 133COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2139734407.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73c0000_739077083533.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 87da25a6a81f8eb45ebddc785c8407aead4fd7c6ca013dcd4d9ff8bf4fca8a9d
                                              • Instruction ID: 3c4e35a6bfc502b9f9eecc097e9f6d48bd0fa9f68f4a72868291d2838b98ac13
                                              • Opcode Fuzzy Hash: 87da25a6a81f8eb45ebddc785c8407aead4fd7c6ca013dcd4d9ff8bf4fca8a9d
                                              • Instruction Fuzzy Hash: 965109B4E102698FDB14CFA9C5805AEFBF6FF89304F248169D418AB215D7359E42CFA1
                                              Function 073C7EB8 Relevance: .1, Instructions: 132COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2139734407.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73c0000_739077083533.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3b8561d20d549df00e803bc4eca0c2d3f8dc54d95033f7033ce5ae0355e29e6b
                                              • Instruction ID: c003eaf8d9203f6a0113a9e2ba8a805e5e5eb08c2c0500e513f1a0d91d096ec6
                                              • Opcode Fuzzy Hash: 3b8561d20d549df00e803bc4eca0c2d3f8dc54d95033f7033ce5ae0355e29e6b
                                              • Instruction Fuzzy Hash: 9B511AB4E002198BDB14DFA9C5805AEFBF6BF89304F248269D818A7355D7359E42CFA1
                                              Function 073C7A80 Relevance: .1, Instructions: 130COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2139734407.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73c0000_739077083533.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: adfbb6176e7439b585fde1e4b5115be7d5ae83c619b41642c5df2fcd7341b8cb
                                              • Instruction ID: c928e1966fcfcb695bd19c50fa872d78b7b72d724d2d2cbf18ec09bfbaf8aa09
                                              • Opcode Fuzzy Hash: adfbb6176e7439b585fde1e4b5115be7d5ae83c619b41642c5df2fcd7341b8cb
                                              • Instruction Fuzzy Hash: 0D5109B5E1021A8FDB14CFA9C5805AEBBF2FF89304F248169D818A7315D7359D42CF61
                                              Function 073CBC83 Relevance: .0, Instructions: 14COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2139734407.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_73c0000_739077083533.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6cc7601b0601320b98e8f388b027e0d4cd298b4f79a227fdbb25685ac76772b3
                                              • Instruction ID: f5f54da1f3c33d1496992403585678e11b33c0002c4a97f3599f966f4db07f9a
                                              • Opcode Fuzzy Hash: 6cc7601b0601320b98e8f388b027e0d4cd298b4f79a227fdbb25685ac76772b3
                                              • Instruction Fuzzy Hash: 50B092E6EEA108D1A9008E8474024F8E33CC28B022E00306AD60EA3E1142118E2A4B58

                                              Execution Graph

                                              Execution Coverage:12.1%
                                              Dynamic/Decrypted Code Coverage:93.4%
                                              Signature Coverage:0%
                                              Total number of Nodes:182
                                              Total number of Limit Nodes:16
                                              execution_graph 26068 62c7a4d 26069 62c7a98 GetModuleHandleW 26068->26069 26070 62c7a92 26068->26070 26071 62c7ac5 26069->26071 26070->26069 26174 62ce438 26175 62ce480 OleGetClipboard 26174->26175 26177 62ce4d2 26175->26177 26178 62cc858 DuplicateHandle 26179 62cc8ee 26178->26179 26180 62c8af8 26181 62c8b60 CreateWindowExW 26180->26181 26183 62c8c1c 26181->26183 26183->26183 26184 2b00848 26186 2b0084e 26184->26186 26185 2b0091b 26186->26185 26189 2b01380 26186->26189 26196 2b01498 26186->26196 26190 2b01396 26189->26190 26191 2b01490 26190->26191 26192 2b01498 3 API calls 26190->26192 26204 62c5a60 26190->26204 26212 62c5a4b 26190->26212 26220 2b07308 26190->26220 26191->26186 26192->26190 26198 2b01396 26196->26198 26199 2b0149f 26196->26199 26197 2b01490 26197->26186 26198->26197 26200 2b07308 DeleteFileW 26198->26200 26201 62c5a4b 2 API calls 26198->26201 26202 62c5a60 2 API calls 26198->26202 26203 2b01498 3 API calls 26198->26203 26199->26186 26200->26198 26201->26198 26202->26198 26203->26198 26205 62c5a72 26204->26205 26207 62c5b23 26205->26207 26225 62c60a0 26205->26225 26230 62c6091 26205->26230 26207->26190 26213 62c5a60 26212->26213 26214 62c5b23 26213->26214 26216 62c60a0 GetModuleHandleW 26213->26216 26217 62c6091 GetModuleHandleW 26213->26217 26214->26190 26215 62c5ae9 26218 62cd9e8 KiUserCallbackDispatcher 26215->26218 26219 62cd9d8 KiUserCallbackDispatcher 26215->26219 26216->26215 26217->26215 26218->26214 26219->26214 26221 2b072a6 DeleteFileW 26220->26221 26224 2b07316 26220->26224 26223 2b072d7 26221->26223 26223->26190 26224->26190 26226 62c60ad 26225->26226 26243 62c7018 26226->26243 26253 62c7009 26226->26253 26231 62c60ad 26230->26231 26233 62c7018 GetModuleHandleW 26231->26233 26234 62c7009 GetModuleHandleW 26231->26234 26232 62c5ae9 26235 62cd9e8 26232->26235 26239 62cd9d8 26232->26239 26233->26232 26234->26232 26236 62cd9f0 26235->26236 26238 62cda13 26236->26238 26274 62cc464 26236->26274 26238->26207 26240 62cd9f0 26239->26240 26241 62cc464 KiUserCallbackDispatcher 26240->26241 26242 62cda13 26240->26242 26241->26240 26242->26207 26244 62c7043 26243->26244 26245 62c5f7c GetModuleHandleW 26244->26245 26246 62c70aa 26245->26246 26250 62c5f7c GetModuleHandleW 26246->26250 26263 62c74f1 26246->26263 26269 62c75a0 26246->26269 26247 62c70c6 26248 62c6c80 GetModuleHandleW 26247->26248 26249 62c70f2 26247->26249 26248->26249 26250->26247 26254 62c7043 26253->26254 26255 62c5f7c GetModuleHandleW 26254->26255 26256 62c70aa 26255->26256 26260 62c5f7c GetModuleHandleW 26256->26260 26261 62c75a0 GetModuleHandleW 26256->26261 26262 62c74f1 GetModuleHandleW 26256->26262 26257 62c70c6 26258 62c70f2 26257->26258 26259 62c6c80 GetModuleHandleW 26257->26259 26258->26258 26259->26258 26260->26257 26261->26257 26262->26257 26264 62c750b 26263->26264 26265 62c750f 26263->26265 26264->26247 26266 62c764e 26265->26266 26267 62c77fe GetModuleHandleW 26265->26267 26268 62c776f GetModuleHandleW 26265->26268 26267->26266 26268->26266 26270 62c75bc 26269->26270 26271 62c764e 26270->26271 26272 62c77fe GetModuleHandleW 26270->26272 26273 62c776f GetModuleHandleW 26270->26273 26272->26271 26273->26271 26275 62cda28 KiUserCallbackDispatcher 26274->26275 26277 62cda96 26275->26277 26277->26236 26072 115d01c 26073 115d034 26072->26073 26074 115d08e 26073->26074 26081 62c8ca3 26073->26081 26087 62cd432 26073->26087 26095 62c8cb0 26073->26095 26101 62c6da4 26073->26101 26105 62c6db4 26073->26105 26113 62c8d3b 26073->26113 26082 62c8cd6 26081->26082 26083 62c6da4 GetModuleHandleW 26082->26083 26084 62c8ce2 26083->26084 26085 62c6db4 CallWindowProcW 26084->26085 26086 62c8cf7 26085->26086 26086->26074 26090 62cd48d 26087->26090 26088 62cd4c1 26128 62cc40c 26088->26128 26090->26088 26091 62cd4b1 26090->26091 26120 62cd5e8 26091->26120 26124 62cd5d8 26091->26124 26092 62cd4bf 26092->26092 26096 62c8cd6 26095->26096 26097 62c6da4 GetModuleHandleW 26096->26097 26098 62c8ce2 26097->26098 26099 62c6db4 CallWindowProcW 26098->26099 26100 62c8cf7 26099->26100 26100->26074 26102 62c6daf 26101->26102 26132 62c6ddc 26102->26132 26104 62c8de7 26104->26074 26106 62c6dbf 26105->26106 26107 62cd4c1 26106->26107 26109 62cd4b1 26106->26109 26108 62cc40c CallWindowProcW 26107->26108 26110 62cd4bf 26108->26110 26111 62cd5e8 CallWindowProcW 26109->26111 26112 62cd5d8 CallWindowProcW 26109->26112 26111->26110 26112->26110 26114 62c8cd9 26113->26114 26119 62c8d3e 26113->26119 26115 62c6da4 GetModuleHandleW 26114->26115 26116 62c8ce2 26115->26116 26117 62c6db4 CallWindowProcW 26116->26117 26118 62c8cf7 26117->26118 26118->26074 26119->26074 26122 62cd5f6 26120->26122 26121 62cc40c CallWindowProcW 26121->26122 26122->26121 26123 62cd6da 26122->26123 26123->26092 26126 62cd5f6 26124->26126 26125 62cc40c CallWindowProcW 26125->26126 26126->26125 26127 62cd6da 26126->26127 26127->26092 26129 62cc417 26128->26129 26130 62cd78a CallWindowProcW 26129->26130 26131 62cd739 26129->26131 26130->26131 26131->26092 26133 62c6de7 26132->26133 26138 62c5f7c 26133->26138 26135 62c8e49 26137 62c8eb7 26135->26137 26143 62c6c80 26135->26143 26139 62c5f87 26138->26139 26140 62c750b 26139->26140 26147 62c77fe 26139->26147 26155 62c776f 26139->26155 26140->26135 26144 62c7a50 GetModuleHandleW 26143->26144 26146 62c7ac5 26144->26146 26146->26137 26148 62c7837 26147->26148 26149 62c6c80 GetModuleHandleW 26148->26149 26150 62c789a 26149->26150 26151 62c6c80 GetModuleHandleW 26150->26151 26154 62c7914 26150->26154 26152 62c78e8 26151->26152 26153 62c6c80 GetModuleHandleW 26152->26153 26152->26154 26153->26154 26154->26140 26156 62c777a 26155->26156 26157 62c6c80 GetModuleHandleW 26156->26157 26158 62c789a 26157->26158 26159 62c6c80 GetModuleHandleW 26158->26159 26162 62c7914 26158->26162 26160 62c78e8 26159->26160 26161 62c6c80 GetModuleHandleW 26160->26161 26160->26162 26161->26162 26162->26140 26163 2b0fe79 26165 2b0fec4 SetWindowsHookExA 26163->26165 26166 2b0ff0a 26165->26166 26167 62ce2a0 26168 62ce2ab 26167->26168 26169 62ce2bb 26168->26169 26171 62cdd10 26168->26171 26172 62ce2f0 OleInitialize 26171->26172 26173 62ce354 26172->26173 26173->26169 26278 62cc610 26279 62cc656 GetCurrentProcess 26278->26279 26281 62cc6a8 GetCurrentThread 26279->26281 26282 62cc6a1 26279->26282 26283 62cc6e5 GetCurrentProcess 26281->26283 26284 62cc6de 26281->26284 26282->26281 26285 62cc71b 26283->26285 26284->26283 26286 62cc743 GetCurrentThreadId 26285->26286 26287 62cc774 26286->26287

                                              Executed Functions

                                              Function 062CC601 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 130threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetCurrentProcess.KERNEL32 ref: 062CC68E
                                              • GetCurrentThread.KERNEL32 ref: 062CC6CB
                                              • GetCurrentProcess.KERNEL32 ref: 062CC708
                                              • GetCurrentThreadId.KERNEL32 ref: 062CC761
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.4578938323.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_62c0000_739077083533.jbxd
                                              Similarity
                                              • API ID: Current$ProcessThread
                                              • String ID: `K
                                              • API String ID: 2063062207-1731638711
                                              • Opcode ID: 59a2d94db6ceabe75d488c1a27127b15107d824c2035617c1d08ac92aeb7720d
                                              • Instruction ID: ab854464ace52aa22469c7375b85c3254039177555a5df862e920e4bd29b089c
                                              • Opcode Fuzzy Hash: 59a2d94db6ceabe75d488c1a27127b15107d824c2035617c1d08ac92aeb7720d
                                              • Instruction Fuzzy Hash: AA5188B091174ACFDB58CFA9D948BAEBBF1EF88314F24811DD809A7250DB749944CB61
                                              Function 062CC610 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetCurrentProcess.KERNEL32 ref: 062CC68E
                                              • GetCurrentThread.KERNEL32 ref: 062CC6CB
                                              • GetCurrentProcess.KERNEL32 ref: 062CC708
                                              • GetCurrentThreadId.KERNEL32 ref: 062CC761
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.4578938323.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_62c0000_739077083533.jbxd
                                              Similarity
                                              • API ID: Current$ProcessThread
                                              • String ID: `K
                                              • API String ID: 2063062207-1731638711
                                              • Opcode ID: 178c8223cad1fbc4a17675a5ac30fc6b16fb2873e0594e1dc1f1d922bf9cf7b9
                                              • Instruction ID: 64c7e4f8ceef287eba8fa8684f1bcdd85a8d4a8e647b6d033000a10434158adc
                                              • Opcode Fuzzy Hash: 178c8223cad1fbc4a17675a5ac30fc6b16fb2873e0594e1dc1f1d922bf9cf7b9
                                              • Instruction Fuzzy Hash: DC5156B091174ACFDB58CFA9D948BAEBBF1EF88324F208119D809A7250DB749944CB65
                                              Function 02B0F6F8 Relevance: 2.1, APIs: 1, Instructions: 614COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 02B0FEFB
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.4572932222.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2b00000_739077083533.jbxd
                                              Similarity
                                              • API ID: HookWindows
                                              • String ID:
                                              • API String ID: 2559412058-0
                                              • Opcode ID: ecdad8a6d7a04cb5ba0dbaf4e7e260c224edd9c828827f4e953369818b3a8f5e
                                              • Instruction ID: 5b2cb4547b7324b0dd0e159e98e1369e2918553b99e63aabdaa76017a57d41a2
                                              • Opcode Fuzzy Hash: ecdad8a6d7a04cb5ba0dbaf4e7e260c224edd9c828827f4e953369818b3a8f5e
                                              • Instruction Fuzzy Hash: F5420534B002058FDB25DB68C584BADBBB2FB49314F6485AAD409EB7A1DB75EC85CB40
                                              Function 02B07308 Relevance: 1.6, APIs: 1, Instructions: 128fileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1201 2b07308-2b07314 1202 2b072a6-2b072d5 DeleteFileW 1201->1202 1203 2b07316-2b0732c 1201->1203 1207 2b072d7-2b072dd 1202->1207 1208 2b072de-2b07306 1202->1208 1206 2b0732e-2b07331 1203->1206 1209 2b07333-2b07368 1206->1209 1210 2b0736d-2b07370 1206->1210 1207->1208 1209->1210 1212 2b07372-2b07386 1210->1212 1213 2b073a3-2b073a6 1210->1213 1224 2b07388-2b0738a 1212->1224 1225 2b0738c 1212->1225 1215 2b073a8-2b073af 1213->1215 1216 2b073ba-2b073bd 1213->1216 1218 2b073b5 1215->1218 1219 2b0748b-2b07491 1215->1219 1220 2b073cd-2b073cf 1216->1220 1221 2b073bf 1216->1221 1218->1216 1222 2b073d1 1220->1222 1223 2b073d6-2b073d9 1220->1223 1237 2b073bf call 2b078b0 1221->1237 1238 2b073bf call 2b078a0 1221->1238 1239 2b073bf call 2b07d08 1221->1239 1222->1223 1223->1206 1227 2b073df-2b073ee 1223->1227 1228 2b0738f-2b0739e 1224->1228 1225->1228 1226 2b073c5-2b073c8 1226->1220 1231 2b073f0-2b07416 1227->1231 1232 2b07418-2b0742d 1227->1232 1228->1213 1231->1232 1232->1219 1237->1226 1238->1226 1239->1226
                                              APIs
                                              • DeleteFileW.KERNELBASE(00000000), ref: 02B072C8
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.4572932222.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2b00000_739077083533.jbxd
                                              Similarity
                                              • API ID: DeleteFile
                                              • String ID:
                                              • API String ID: 4033686569-0
                                              • Opcode ID: bdcbf3757051df6c897d369322109b91de672221af7190ab3d726d357fa974fd
                                              • Instruction ID: 3a782550c80828554ebf6b6f560e372400e420ff676d6181d96e4be3eb1897c5
                                              • Opcode Fuzzy Hash: bdcbf3757051df6c897d369322109b91de672221af7190ab3d726d357fa974fd
                                              • Instruction Fuzzy Hash: 4A418170E1021ADFEB15CF65C48579EFBB5FF49310F1085A5E815EB280EB74A946CB90
                                              Function 062C8AF3 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1240 62c8af3-62c8b5e 1241 62c8b69-62c8b70 1240->1241 1242 62c8b60-62c8b66 1240->1242 1243 62c8b7b-62c8bb3 1241->1243 1244 62c8b72-62c8b78 1241->1244 1242->1241 1245 62c8bbb-62c8c1a CreateWindowExW 1243->1245 1244->1243 1246 62c8c1c-62c8c22 1245->1246 1247 62c8c23-62c8c5b 1245->1247 1246->1247 1251 62c8c5d-62c8c60 1247->1251 1252 62c8c68 1247->1252 1251->1252 1253 62c8c69 1252->1253 1253->1253
                                              APIs
                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 062C8C0A
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.4578938323.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_62c0000_739077083533.jbxd
                                              Similarity
                                              • API ID: CreateWindow
                                              • String ID:
                                              • API String ID: 716092398-0
                                              • Opcode ID: b9e8fda8bb4cd3df11a5647bce028655eaee2ca83b4c5604888a1eb5071d74cb
                                              • Instruction ID: 1d624f10c0b69165775aaede7e96202659b25947f4859add9ee9183414455f67
                                              • Opcode Fuzzy Hash: b9e8fda8bb4cd3df11a5647bce028655eaee2ca83b4c5604888a1eb5071d74cb
                                              • Instruction Fuzzy Hash: C541E2B1D10309DFDB14CF99C880ADEBFB5BF48350F20822AE819AB250D7759985CF90
                                              Function 062C8AF8 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1254 62c8af8-62c8b5e 1255 62c8b69-62c8b70 1254->1255 1256 62c8b60-62c8b66 1254->1256 1257 62c8b7b-62c8c1a CreateWindowExW 1255->1257 1258 62c8b72-62c8b78 1255->1258 1256->1255 1260 62c8c1c-62c8c22 1257->1260 1261 62c8c23-62c8c5b 1257->1261 1258->1257 1260->1261 1265 62c8c5d-62c8c60 1261->1265 1266 62c8c68 1261->1266 1265->1266 1267 62c8c69 1266->1267 1267->1267
                                              APIs
                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 062C8C0A
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.4578938323.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_62c0000_739077083533.jbxd
                                              Similarity
                                              • API ID: CreateWindow
                                              • String ID:
                                              • API String ID: 716092398-0
                                              • Opcode ID: 08d66ffaff7d3e0194447158ce932fa79f15deaf42423d851fd21f902d8a35cc
                                              • Instruction ID: 31940c0adae813d061155d058b178baafff3a5ffbb75aefb5135c66473f6e089
                                              • Opcode Fuzzy Hash: 08d66ffaff7d3e0194447158ce932fa79f15deaf42423d851fd21f902d8a35cc
                                              • Instruction Fuzzy Hash: EA41D2B1D10309DFDB14CF99C884ADEBFB5BF48350F24822AE819AB250D775A945CF90
                                              Function 062CC40C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1268 62cc40c-62cd72c 1271 62cd7dc-62cd7fc call 62c6db4 1268->1271 1272 62cd732-62cd737 1268->1272 1280 62cd7ff-62cd80c 1271->1280 1273 62cd739-62cd770 1272->1273 1274 62cd78a-62cd7c2 CallWindowProcW 1272->1274 1281 62cd779-62cd788 1273->1281 1282 62cd772-62cd778 1273->1282 1276 62cd7cb-62cd7da 1274->1276 1277 62cd7c4-62cd7ca 1274->1277 1276->1280 1277->1276 1281->1280 1282->1281
                                              APIs
                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 062CD7B1
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.4578938323.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_62c0000_739077083533.jbxd
                                              Similarity
                                              • API ID: CallProcWindow
                                              • String ID:
                                              • API String ID: 2714655100-0
                                              • Opcode ID: df7f942b3c5fa9c2e03ecac20536ef35697c9dee61f0f7864ca9bb6d43e543e8
                                              • Instruction ID: aee33ee81854e7fcc85635777cb41a2a346d29481aeacd20188469bd9db36fa6
                                              • Opcode Fuzzy Hash: df7f942b3c5fa9c2e03ecac20536ef35697c9dee61f0f7864ca9bb6d43e543e8
                                              • Instruction Fuzzy Hash: 20413BB8910305CFDB54CF59C488BAABBF5FF88324F248958D519AB321D775A845CFA0
                                              Function 062CE42C Relevance: 1.6, APIs: 1, Instructions: 79comclipboardCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1285 62ce42c-62ce434 1286 62ce436-62ce47f 1285->1286 1287 62ce480-62ce488 1285->1287 1286->1287 1289 62ce492-62ce4d0 OleGetClipboard 1287->1289 1290 62ce4d9-62ce527 1289->1290 1291 62ce4d2-62ce4d8 1289->1291 1296 62ce529-62ce52d 1290->1296 1297 62ce537 1290->1297 1291->1290 1296->1297 1298 62ce52f 1296->1298 1299 62ce538 1297->1299 1298->1297 1299->1299
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.4578938323.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_62c0000_739077083533.jbxd
                                              Similarity
                                              • API ID: Clipboard
                                              • String ID:
                                              • API String ID: 220874293-0
                                              • Opcode ID: 20df688e4382f5cde54b501a2f4d6fafc05daf3b64fe65536c43d2f694b0c2cd
                                              • Instruction ID: 840c79152289590518427af4d8ed8b95fa7c681029e4624011c8eee554a14f6b
                                              • Opcode Fuzzy Hash: 20df688e4382f5cde54b501a2f4d6fafc05daf3b64fe65536c43d2f694b0c2cd
                                              • Instruction Fuzzy Hash: 053132B0D10348DFDB64CFA9C984BDEBBF5AF48714F208019E844BB290D7B4A845CBA1
                                              Function 062CE438 Relevance: 1.6, APIs: 1, Instructions: 71comclipboardCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1300 62ce438-62ce4d0 OleGetClipboard 1303 62ce4d9-62ce527 1300->1303 1304 62ce4d2-62ce4d8 1300->1304 1309 62ce529-62ce52d 1303->1309 1310 62ce537 1303->1310 1304->1303 1309->1310 1311 62ce52f 1309->1311 1312 62ce538 1310->1312 1311->1310 1312->1312
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.4578938323.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_62c0000_739077083533.jbxd
                                              Similarity
                                              • API ID: Clipboard
                                              • String ID:
                                              • API String ID: 220874293-0
                                              • Opcode ID: 0677b65829dd50edcc542ea2fb4d83cb452049699a221606477245b6d313d64a
                                              • Instruction ID: 1d5dd819088ba938f83f6b915ff6a7729d0394c07aebd5045c043afad069820c
                                              • Opcode Fuzzy Hash: 0677b65829dd50edcc542ea2fb4d83cb452049699a221606477245b6d313d64a
                                              • Instruction Fuzzy Hash: EF3100B0D01309DFDB54CF99C984B8EBBF5AF48724F208059E408AB290DBB4A845CBA1
                                              Function 062CC850 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1313 62cc850-62cc8ec DuplicateHandle 1314 62cc8ee-62cc8f4 1313->1314 1315 62cc8f5-62cc912 1313->1315 1314->1315
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 062CC8DF
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.4578938323.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_62c0000_739077083533.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 66bec8479fc2aa4282547e5213fc7e55e148826a1299f26b9bc6d5b5be3c312b
                                              • Instruction ID: f61a4bff55babf3431fad8370c2cd7bae28dcb8991abaf344b6967f2243579ba
                                              • Opcode Fuzzy Hash: 66bec8479fc2aa4282547e5213fc7e55e148826a1299f26b9bc6d5b5be3c312b
                                              • Instruction Fuzzy Hash: B221D2B5D002499FDB10CFA9D984AEEBBF5EB48360F14851AE918A3250D379A950CF60
                                              Function 062CC858 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1318 62cc858-62cc8ec DuplicateHandle 1319 62cc8ee-62cc8f4 1318->1319 1320 62cc8f5-62cc912 1318->1320 1319->1320
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 062CC8DF
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.4578938323.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_62c0000_739077083533.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: c350f93ab6c14854e808a19bf2faf4e1816237ad2ae8db648b6e816b520eb2ec
                                              • Instruction ID: e6ee235f005bbf6afd36db4cc6ce297cfd46767800fe443fb791f26869f2264e
                                              • Opcode Fuzzy Hash: c350f93ab6c14854e808a19bf2faf4e1816237ad2ae8db648b6e816b520eb2ec
                                              • Instruction Fuzzy Hash: 0021E4B5D00249DFDB10CF9AD984ADEBBF8FB48320F14811AE918A3350D379A950CF60
                                              Function 02B07251 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1323 2b07251-2b072a2 1325 2b072a4-2b072a7 1323->1325 1326 2b072aa-2b072d5 DeleteFileW 1323->1326 1325->1326 1327 2b072d7-2b072dd 1326->1327 1328 2b072de-2b07306 1326->1328 1327->1328
                                              APIs
                                              • DeleteFileW.KERNELBASE(00000000), ref: 02B072C8
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.4572932222.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2b00000_739077083533.jbxd
                                              Similarity
                                              • API ID: DeleteFile
                                              • String ID:
                                              • API String ID: 4033686569-0
                                              • Opcode ID: 53656eb399a704c709a79ff5e39b5bd009a495a19d7b6425281c83d162fc3d27
                                              • Instruction ID: a5883471056f2ee0d8e3dc008beb122eae9f7a3cd698b178c7f5bb68e4e9eab3
                                              • Opcode Fuzzy Hash: 53656eb399a704c709a79ff5e39b5bd009a495a19d7b6425281c83d162fc3d27
                                              • Instruction Fuzzy Hash: 242158B2C0065A9FCB10CF9AC5847EEFBB0FF48320F148169D858A7240D778A945CFA0
                                              Function 02B0FE79 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1331 2b0fe79-2b0feca 1333 2b0fed6-2b0ff08 SetWindowsHookExA 1331->1333 1334 2b0fecc-2b0fed4 1331->1334 1335 2b0ff11-2b0ff31 1333->1335 1336 2b0ff0a-2b0ff10 1333->1336 1334->1333 1336->1335
                                              APIs
                                              • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 02B0FEFB
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.4572932222.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2b00000_739077083533.jbxd
                                              Similarity
                                              • API ID: HookWindows
                                              • String ID:
                                              • API String ID: 2559412058-0
                                              • Opcode ID: 2a8dada10bceccb7427611e7c4e2c66058accf6fd98a6bfeaefb4c84f8ea5afb
                                              • Instruction ID: 8a466682daf7e4c4d89acd7122ee6b8a1b046aa2d435d3863af0cf6ace0214a7
                                              • Opcode Fuzzy Hash: 2a8dada10bceccb7427611e7c4e2c66058accf6fd98a6bfeaefb4c84f8ea5afb
                                              • Instruction Fuzzy Hash: 9C2115B1D002499FDB24DF9AD984BEEBBF5FB88310F108419E419A7250CB75A944CFA1
                                              Function 02B07258 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1340 2b07258-2b072a2 1342 2b072a4-2b072a7 1340->1342 1343 2b072aa-2b072d5 DeleteFileW 1340->1343 1342->1343 1344 2b072d7-2b072dd 1343->1344 1345 2b072de-2b07306 1343->1345 1344->1345
                                              APIs
                                              • DeleteFileW.KERNELBASE(00000000), ref: 02B072C8
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.4572932222.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_2b00000_739077083533.jbxd
                                              Similarity
                                              • API ID: DeleteFile
                                              • String ID:
                                              • API String ID: 4033686569-0
                                              • Opcode ID: b98f3ea90038df1806bd898e8a2f35a9bd2ced4ceadca805be96c30459245de4
                                              • Instruction ID: 5f0a75b69a11a3d32bef5cce6c0305a22943aa0c8e73917fc1e9488dd47aadfb
                                              • Opcode Fuzzy Hash: b98f3ea90038df1806bd898e8a2f35a9bd2ced4ceadca805be96c30459245de4
                                              • Instruction Fuzzy Hash: AC1138B1C0065A9BCB14CF9AC54479EFBB4EF48720F108159D818A7240D778A944CFA1
                                              Function 062C6C80 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1348 62c6c80-62c7a90 1350 62c7a98-62c7ac3 GetModuleHandleW 1348->1350 1351 62c7a92-62c7a95 1348->1351 1352 62c7acc-62c7ae0 1350->1352 1353 62c7ac5-62c7acb 1350->1353 1351->1350 1353->1352
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 062C7AB6
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.4578938323.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_62c0000_739077083533.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: 7e952984cc403bbc0bd5c017676d526989cc0a837c32c979fa9b06057bb09392
                                              • Instruction ID: 6218e163a75a66b09ac35af04c585d4b57cbc224b85b4f3b37a82a2c5fce2bd0
                                              • Opcode Fuzzy Hash: 7e952984cc403bbc0bd5c017676d526989cc0a837c32c979fa9b06057bb09392
                                              • Instruction Fuzzy Hash: 191132B1C0074A8FDB10CF9AC444BDEFBF4EB88224F10851AD819B7200D3B9A644CFA1
                                              Function 062CC464 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                              Download Yara Rule
                                              APIs
                                              • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,062CD9FD), ref: 062CDA87
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.4578938323.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_62c0000_739077083533.jbxd
                                              Similarity
                                              • API ID: CallbackDispatcherUser
                                              • String ID:
                                              • API String ID: 2492992576-0
                                              • Opcode ID: d9e545f8329edf876aaa767016deb997198f8444923498fb290d17c01b168579
                                              • Instruction ID: 1c63e9870b271177c90b0748b1b93262ed2baa8ebc92075f5ffae8fc566a78a8
                                              • Opcode Fuzzy Hash: d9e545f8329edf876aaa767016deb997198f8444923498fb290d17c01b168579
                                              • Instruction Fuzzy Hash: 4B1125B1804349CFDB10DF9AD484BDEBBF4EF88320F208419D919A3200D3B5A944CFA5
                                              Function 062CDD10 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                              Download Yara Rule
                                              APIs
                                              • OleInitialize.OLE32(00000000), ref: 062CE345
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.4578938323.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_62c0000_739077083533.jbxd
                                              Similarity
                                              • API ID: Initialize
                                              • String ID:
                                              • API String ID: 2538663250-0
                                              • Opcode ID: 886cc61bbedbf00132cc267ebd7655cc31ccfa0fc656f49cf9473b21c34208cc
                                              • Instruction ID: fe8c4947b5e6908ab2a7e4ea6ff1966961668defb8c00f959303322ed9de9b25
                                              • Opcode Fuzzy Hash: 886cc61bbedbf00132cc267ebd7655cc31ccfa0fc656f49cf9473b21c34208cc
                                              • Instruction Fuzzy Hash: 861133B1800349CFDB10DF9AC444BDEFBF4EB48320F20841AD918A3210D779A940CFA5
                                              Function 062C7A4D Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1355 62c7a4d-62c7a90 1356 62c7a98-62c7ac3 GetModuleHandleW 1355->1356 1357 62c7a92-62c7a95 1355->1357 1358 62c7acc-62c7ae0 1356->1358 1359 62c7ac5-62c7acb 1356->1359 1357->1356 1359->1358
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 062C7AB6
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.4578938323.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_62c0000_739077083533.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: d2007b49e6727df71159eebbded34adfe1bfe89092f294aec6ccd6bc60d1cc55
                                              • Instruction ID: f186754032e40170d368cd1569212fb8f6cfac52cac1adcc83cde9bfc0606064
                                              • Opcode Fuzzy Hash: d2007b49e6727df71159eebbded34adfe1bfe89092f294aec6ccd6bc60d1cc55
                                              • Instruction Fuzzy Hash: 831110B6C0064A8FDB14CF9AC544BDEFBF4AF88324F14851AD819B7210C379A645CFA1
                                              Function 062CE2E9 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON
                                              Download Yara Rule
                                              APIs
                                              • OleInitialize.OLE32(00000000), ref: 062CE345
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.4578938323.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_62c0000_739077083533.jbxd
                                              Similarity
                                              • API ID: Initialize
                                              • String ID:
                                              • API String ID: 2538663250-0
                                              • Opcode ID: dddbf01e686a6877fc938d3c859a242d6f9637ceb1dfc4643e39676f698ed268
                                              • Instruction ID: e6a7db66a6b345bd92749c98a8dc8307ab4420b7012c5e867c6c01b5e4019f85
                                              • Opcode Fuzzy Hash: dddbf01e686a6877fc938d3c859a242d6f9637ceb1dfc4643e39676f698ed268
                                              • Instruction Fuzzy Hash: B01103B5800349CFDB10DF9AD444BDEBFF8AB48324F248459E558A3210D779A544CFA5
                                              Function 062CDA20 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                              Download Yara Rule
                                              APIs
                                              • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,062CD9FD), ref: 062CDA87
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.4578938323.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_62c0000_739077083533.jbxd
                                              Similarity
                                              • API ID: CallbackDispatcherUser
                                              • String ID:
                                              • API String ID: 2492992576-0
                                              • Opcode ID: 5b1a30a870728149e10de0a9207e03c8916e245e785cdd90ecf94fc7b6b0770b
                                              • Instruction ID: 9cd887539a5ec881733580ade7548cb39ef9ab06fc0239e49ef7b08b4f232efb
                                              • Opcode Fuzzy Hash: 5b1a30a870728149e10de0a9207e03c8916e245e785cdd90ecf94fc7b6b0770b
                                              • Instruction Fuzzy Hash: 5611F2B18042498FDB10DF9AD844BDEBBF4AF88324F20885AD958A7250C7B5A544CFA5
                                              Function 0115D01C Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.4572234172.000000000115D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_115d000_739077083533.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 92022ee8907b4dab48697ad6223b7a5362fbc3d47b3c6cce8ccad3bcd4bca541
                                              • Instruction ID: fb6df7a604040db7e5b9506002cfec23c6a66df5639ae547e3990473a8b8b142
                                              • Opcode Fuzzy Hash: 92022ee8907b4dab48697ad6223b7a5362fbc3d47b3c6cce8ccad3bcd4bca541
                                              • Instruction Fuzzy Hash: 72210075604200EFDF59DF54E9C0B26BB61EB84314F20C56DDD1A4B252C77AD407CB62
                                              Function 0115D104 Relevance: .1, Instructions: 71COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.4572234172.000000000115D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_115d000_739077083533.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 13cd30f080a59c9878b1b870b05a06dfe014973c67971bdd02b71ccd057a0a90
                                              • Instruction ID: fcba016a3333254f5bc01b6e124821c2552e9868b6caab17b82059b3eb9f1ad9
                                              • Opcode Fuzzy Hash: 13cd30f080a59c9878b1b870b05a06dfe014973c67971bdd02b71ccd057a0a90
                                              • Instruction Fuzzy Hash: 1F21F2B1504204EFDF49DFA4E9C0B26BBA5FB84314F20C56DED0A4B256C37AD446CB62
                                              Function 0115D006 Relevance: .1, Instructions: 60COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.4572234172.000000000115D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_115d000_739077083533.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c99b148c547ddac76684d5c7cd1283fccac8c90842a418cb466938e67ec2a9b7
                                              • Instruction ID: e41e25ae1c319a0002e67fe6a2cbd45151b88dc9dabf4c4774bfdd97407e4fcc
                                              • Opcode Fuzzy Hash: c99b148c547ddac76684d5c7cd1283fccac8c90842a418cb466938e67ec2a9b7
                                              • Instruction Fuzzy Hash: EE21AC75509380CFDB07CF24D990B15BF71EB46214F28C5EAD8498B2A7C33AD80ACB62
                                              Function 0115D0FF Relevance: .1, Instructions: 52COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000004.00000002.4572234172.000000000115D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0115D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_4_2_115d000_739077083533.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d995b00d00e55cd09380dc6b4dc9fcb0e4c86312f1f46f4d8748a8c7f78b6f4c
                                              • Instruction ID: 6361194264a2455a4218333ea915ad71d564138d69b3fc4f102375980c3b4638
                                              • Opcode Fuzzy Hash: d995b00d00e55cd09380dc6b4dc9fcb0e4c86312f1f46f4d8748a8c7f78b6f4c
                                              • Instruction Fuzzy Hash: D411DD75504284CFDB0ACF14DAC0B15BFA1FB84218F24C6ADDC094B666C33AD44ACB52

                                              Execution Graph

                                              Execution Coverage:8.4%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:222
                                              Total number of Limit Nodes:13
                                              execution_graph 28145 772bb20 28146 772bcab 28145->28146 28147 772bb46 28145->28147 28147->28146 28149 7729078 28147->28149 28150 772bda0 PostMessageW 28149->28150 28151 772be0c 28150->28151 28151->28147 28152 2fbd6e8 DuplicateHandle 28153 2fbd77e 28152->28153 28432 772cf88 FindCloseChangeNotification 28433 772cfef 28432->28433 28154 2fbd4a0 28155 2fbd4e6 GetCurrentProcess 28154->28155 28157 2fbd538 GetCurrentThread 28155->28157 28158 2fbd531 28155->28158 28159 2fbd56e 28157->28159 28160 2fbd575 GetCurrentProcess 28157->28160 28158->28157 28159->28160 28163 2fbd5ab 28160->28163 28161 2fbd5d3 GetCurrentThreadId 28162 2fbd604 28161->28162 28163->28161 28164 2fb4a90 28165 2fb4a91 28164->28165 28166 2fb4a9f 28165->28166 28170 2fb4b89 28165->28170 28175 2fb4624 28166->28175 28168 2fb4aba 28171 2fb4bad 28170->28171 28179 2fb4c89 28171->28179 28183 2fb4c98 28171->28183 28176 2fb462f 28175->28176 28191 2fb5fdc 28176->28191 28178 2fb73c7 28178->28168 28181 2fb4c98 28179->28181 28180 2fb4d9c 28180->28180 28181->28180 28187 2fb4874 28181->28187 28185 2fb4cbf 28183->28185 28184 2fb4d9c 28184->28184 28185->28184 28186 2fb4874 CreateActCtxA 28185->28186 28186->28184 28188 2fb5d28 CreateActCtxA 28187->28188 28190 2fb5deb 28188->28190 28192 2fb5fe7 28191->28192 28195 2fb5ffc 28192->28195 28194 2fb746d 28194->28178 28196 2fb6007 28195->28196 28199 2fb602c 28196->28199 28198 2fb7542 28198->28194 28200 2fb6037 28199->28200 28203 2fb605c 28200->28203 28202 2fb7645 28202->28198 28204 2fb6067 28203->28204 28207 2fb8a2b 28204->28207 28209 2fbb0d8 28204->28209 28205 2fb8a69 28205->28202 28207->28205 28213 2fbd1c8 28207->28213 28220 2fbb0ff 28209->28220 28224 2fbb110 28209->28224 28210 2fbb0ee 28210->28207 28214 2fbd1c1 28213->28214 28215 2fbd1d6 28213->28215 28214->28205 28216 2fbd21d 28215->28216 28247 2fbd388 28215->28247 28251 2fbd377 28215->28251 28255 2fbd387 28215->28255 28216->28205 28221 2fbb110 28220->28221 28227 2fbb208 28221->28227 28222 2fbb11f 28222->28210 28226 2fbb208 2 API calls 28224->28226 28225 2fbb11f 28225->28210 28226->28225 28228 2fbb219 28227->28228 28229 2fbb23c 28227->28229 28228->28229 28235 2fbb491 28228->28235 28239 2fbb4a0 28228->28239 28229->28222 28230 2fbb234 28230->28229 28231 2fbb440 GetModuleHandleW 28230->28231 28232 2fbb46d 28231->28232 28232->28222 28236 2fbb4b4 28235->28236 28238 2fbb4d9 28236->28238 28243 2fbac10 28236->28243 28238->28230 28241 2fbb4b4 28239->28241 28240 2fbb4d9 28240->28230 28241->28240 28242 2fbac10 LoadLibraryExW 28241->28242 28242->28240 28244 2fbb680 LoadLibraryExW 28243->28244 28246 2fbb6f9 28244->28246 28246->28238 28250 2fbd395 28247->28250 28248 2fbd3cf 28248->28216 28250->28248 28259 2fbcf68 28250->28259 28252 2fbd393 28251->28252 28253 2fbd3cf 28252->28253 28254 2fbcf68 2 API calls 28252->28254 28253->28216 28254->28253 28256 2fbd395 28255->28256 28257 2fbd3cf 28256->28257 28258 2fbcf68 2 API calls 28256->28258 28257->28216 28258->28257 28260 2fbcf73 28259->28260 28262 2fbdce0 28260->28262 28263 2fbd094 28260->28263 28262->28262 28264 2fbd09f 28263->28264 28265 2fb605c 2 API calls 28264->28265 28266 2fbdd4f 28265->28266 28266->28262 28267 772995f 28268 7729809 28267->28268 28269 772988c 28268->28269 28272 772a990 28268->28272 28290 772a980 28268->28290 28273 772a9aa 28272->28273 28282 772a9ce 28273->28282 28308 772ae0b 28273->28308 28313 772b0a5 28273->28313 28318 772b1c4 28273->28318 28322 772ae64 28273->28322 28327 772ade7 28273->28327 28332 772b007 28273->28332 28339 772af23 28273->28339 28344 772b33f 28273->28344 28349 772ae1f 28273->28349 28354 772ae7f 28273->28354 28359 772b099 28273->28359 28364 772b078 28273->28364 28369 772ad75 28273->28369 28374 772aed3 28273->28374 28379 772aeed 28273->28379 28282->28269 28291 772a990 28290->28291 28292 772aed3 2 API calls 28291->28292 28293 772ad75 2 API calls 28291->28293 28294 772b078 2 API calls 28291->28294 28295 772b099 2 API calls 28291->28295 28296 772ae7f 2 API calls 28291->28296 28297 772ae1f 2 API calls 28291->28297 28298 772b33f 2 API calls 28291->28298 28299 772af23 2 API calls 28291->28299 28300 772a9ce 28291->28300 28301 772b007 4 API calls 28291->28301 28302 772ade7 2 API calls 28291->28302 28303 772ae64 2 API calls 28291->28303 28304 772b1c4 2 API calls 28291->28304 28305 772b0a5 2 API calls 28291->28305 28306 772ae0b 2 API calls 28291->28306 28307 772aeed 2 API calls 28291->28307 28292->28300 28293->28300 28294->28300 28295->28300 28296->28300 28297->28300 28298->28300 28299->28300 28300->28269 28301->28300 28302->28300 28303->28300 28304->28300 28305->28300 28306->28300 28307->28300 28309 772ae18 28308->28309 28384 7728d70 28309->28384 28388 7728d68 28309->28388 28310 772b2bc 28314 772adf3 28313->28314 28315 772ae93 28314->28315 28392 7728b20 28314->28392 28396 7728b28 28314->28396 28315->28282 28320 7728d70 WriteProcessMemory 28318->28320 28321 7728d68 WriteProcessMemory 28318->28321 28319 772b1e8 28319->28282 28320->28319 28321->28319 28323 772b18a 28322->28323 28400 7728bd3 28323->28400 28404 7728bd8 28323->28404 28324 772b1a5 28328 772adf3 28327->28328 28329 772ae93 28328->28329 28330 7728b20 ResumeThread 28328->28330 28331 7728b28 ResumeThread 28328->28331 28329->28282 28330->28328 28331->28328 28335 7728bd3 Wow64SetThreadContext 28332->28335 28336 7728bd8 Wow64SetThreadContext 28332->28336 28333 772adf3 28334 772ae93 28333->28334 28337 7728b20 ResumeThread 28333->28337 28338 7728b28 ResumeThread 28333->28338 28334->28282 28335->28333 28336->28333 28337->28333 28338->28333 28341 772adf3 28339->28341 28340 772ae93 28340->28282 28341->28339 28341->28340 28342 7728b20 ResumeThread 28341->28342 28343 7728b28 ResumeThread 28341->28343 28342->28341 28343->28341 28345 772b362 28344->28345 28347 7728d70 WriteProcessMemory 28345->28347 28348 7728d68 WriteProcessMemory 28345->28348 28346 772b708 28347->28346 28348->28346 28350 772adf3 28349->28350 28351 772ae93 28350->28351 28352 7728b20 ResumeThread 28350->28352 28353 7728b28 ResumeThread 28350->28353 28351->28282 28352->28350 28353->28350 28355 772adf3 28354->28355 28356 772ae93 28355->28356 28357 7728b20 ResumeThread 28355->28357 28358 7728b28 ResumeThread 28355->28358 28356->28282 28357->28355 28358->28355 28361 772adf3 28359->28361 28360 772ae93 28360->28282 28361->28360 28362 7728b20 ResumeThread 28361->28362 28363 7728b28 ResumeThread 28361->28363 28362->28361 28363->28361 28366 772adf3 28364->28366 28365 772ae93 28365->28282 28366->28365 28367 7728b20 ResumeThread 28366->28367 28368 7728b28 ResumeThread 28366->28368 28367->28366 28368->28366 28370 772ad94 28369->28370 28408 77293e4 28370->28408 28412 77293f8 28370->28412 28375 772b2db 28374->28375 28416 7728e60 28375->28416 28420 7728e58 28375->28420 28376 772b107 28376->28282 28380 772b398 28379->28380 28424 7728cb0 28380->28424 28428 7728ca8 28380->28428 28381 772b3b9 28385 7728d73 WriteProcessMemory 28384->28385 28387 7728e0f 28385->28387 28387->28310 28389 7728d6c WriteProcessMemory 28388->28389 28391 7728e0f 28389->28391 28391->28310 28393 7728b24 ResumeThread 28392->28393 28395 7728b99 28393->28395 28395->28314 28397 7728b2b ResumeThread 28396->28397 28399 7728b99 28397->28399 28399->28314 28401 7728bd8 Wow64SetThreadContext 28400->28401 28403 7728c65 28401->28403 28403->28324 28405 7728c1d Wow64SetThreadContext 28404->28405 28407 7728c65 28405->28407 28407->28324 28409 77293f4 28408->28409 28409->28409 28410 77295e6 CreateProcessA 28409->28410 28411 7729643 28410->28411 28413 77293fb 28412->28413 28413->28413 28414 77295e6 CreateProcessA 28413->28414 28415 7729643 28414->28415 28417 7728e63 ReadProcessMemory 28416->28417 28419 7728eef 28417->28419 28419->28376 28421 7728e5c ReadProcessMemory 28420->28421 28423 7728eef 28421->28423 28423->28376 28425 7728cb3 VirtualAllocEx 28424->28425 28427 7728d2d 28425->28427 28427->28381 28429 7728cac VirtualAllocEx 28428->28429 28431 7728d2d 28429->28431 28431->28381

                                              Executed Functions

                                              Function 02FBD490 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetCurrentProcess.KERNEL32 ref: 02FBD51E
                                              • GetCurrentThread.KERNEL32 ref: 02FBD55B
                                              • GetCurrentProcess.KERNEL32 ref: 02FBD598
                                              • GetCurrentThreadId.KERNEL32 ref: 02FBD5F1
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2293874364.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_2fb0000_skyT.jbxd
                                              Similarity
                                              • API ID: Current$ProcessThread
                                              • String ID:
                                              • API String ID: 2063062207-0
                                              • Opcode ID: 63381cd84ad5cb346984f4ee28844a8fa88e5ed66db75750b6b4f6095c0f5522
                                              • Instruction ID: fd195daacb759e5bef17a648830a938aa320228a00afdd67f7b6fe17e84c152a
                                              • Opcode Fuzzy Hash: 63381cd84ad5cb346984f4ee28844a8fa88e5ed66db75750b6b4f6095c0f5522
                                              • Instruction Fuzzy Hash: 785189B09013498FDB15CFAAD548BDEBBF1EF88318F20845AD509A7350C7789944CF66
                                              Function 02FBD4A0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetCurrentProcess.KERNEL32 ref: 02FBD51E
                                              • GetCurrentThread.KERNEL32 ref: 02FBD55B
                                              • GetCurrentProcess.KERNEL32 ref: 02FBD598
                                              • GetCurrentThreadId.KERNEL32 ref: 02FBD5F1
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2293874364.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_2fb0000_skyT.jbxd
                                              Similarity
                                              • API ID: Current$ProcessThread
                                              • String ID:
                                              • API String ID: 2063062207-0
                                              • Opcode ID: cf7d5f6dba3722bbe53bbfc3f596bab2c731af7d50da87dba118bfd06dd58ca0
                                              • Instruction ID: eef991ff9679ca89a78f8b3a08f0a45b30f5c8b9809827ea933a848450f66b86
                                              • Opcode Fuzzy Hash: cf7d5f6dba3722bbe53bbfc3f596bab2c731af7d50da87dba118bfd06dd58ca0
                                              • Instruction Fuzzy Hash: F55177B09013498FDB14DFAAD548BDEBBF1EF88318F208459D509A7350CB78A944CF66
                                              Function 077293E4 Relevance: 1.8, APIs: 1, Instructions: 253processCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 44 77293e4-77293f2 45 77293f4-77293f9 44->45 46 77293fb-772948d 44->46 45->46 49 77294c6-77294e6 46->49 50 772948f-7729499 46->50 57 77294e8-77294f2 49->57 58 772951f-772954e 49->58 50->49 51 772949b-772949d 50->51 52 77294c0-77294c3 51->52 53 772949f-77294a9 51->53 52->49 55 77294ab 53->55 56 77294ad-77294bc 53->56 55->56 56->56 59 77294be 56->59 57->58 60 77294f4-77294f6 57->60 64 7729550-772955a 58->64 65 7729587-7729641 CreateProcessA 58->65 59->52 62 77294f8-7729502 60->62 63 7729519-772951c 60->63 66 7729506-7729515 62->66 67 7729504 62->67 63->58 64->65 69 772955c-772955e 64->69 78 7729643-7729649 65->78 79 772964a-77296d0 65->79 66->66 68 7729517 66->68 67->66 68->63 70 7729560-772956a 69->70 71 7729581-7729584 69->71 73 772956e-772957d 70->73 74 772956c 70->74 71->65 73->73 76 772957f 73->76 74->73 76->71 78->79 89 77296d2-77296d6 79->89 90 77296e0-77296e4 79->90 89->90 91 77296d8 89->91 92 77296e6-77296ea 90->92 93 77296f4-77296f8 90->93 91->90 92->93 94 77296ec 92->94 95 77296fa-77296fe 93->95 96 7729708-772970c 93->96 94->93 95->96 99 7729700 95->99 97 772971e-7729725 96->97 98 772970e-7729714 96->98 100 7729727-7729736 97->100 101 772973c 97->101 98->97 99->96 100->101 103 772973d 101->103 103->103
                                              APIs
                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0772962E
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2297912709.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7720000_skyT.jbxd
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: 0862521023d9dbf1b35ea48c58988fa9ef7c1aca0664affcec9d6e08e0f2650d
                                              • Instruction ID: 9d078e7bf67f6b6efc08bfcfccb2ecc808e7b655b73f8a589581e22ab89279ec
                                              • Opcode Fuzzy Hash: 0862521023d9dbf1b35ea48c58988fa9ef7c1aca0664affcec9d6e08e0f2650d
                                              • Instruction Fuzzy Hash: 82A15CB1D00229CFDB10CF69C8407DDBBB2BF48354F188569E919B7280DB759986DF91
                                              Function 077293F8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 104 77293f8-772948d 107 77294c6-77294e6 104->107 108 772948f-7729499 104->108 115 77294e8-77294f2 107->115 116 772951f-772954e 107->116 108->107 109 772949b-772949d 108->109 110 77294c0-77294c3 109->110 111 772949f-77294a9 109->111 110->107 113 77294ab 111->113 114 77294ad-77294bc 111->114 113->114 114->114 117 77294be 114->117 115->116 118 77294f4-77294f6 115->118 122 7729550-772955a 116->122 123 7729587-7729641 CreateProcessA 116->123 117->110 120 77294f8-7729502 118->120 121 7729519-772951c 118->121 124 7729506-7729515 120->124 125 7729504 120->125 121->116 122->123 127 772955c-772955e 122->127 136 7729643-7729649 123->136 137 772964a-77296d0 123->137 124->124 126 7729517 124->126 125->124 126->121 128 7729560-772956a 127->128 129 7729581-7729584 127->129 131 772956e-772957d 128->131 132 772956c 128->132 129->123 131->131 134 772957f 131->134 132->131 134->129 136->137 147 77296d2-77296d6 137->147 148 77296e0-77296e4 137->148 147->148 149 77296d8 147->149 150 77296e6-77296ea 148->150 151 77296f4-77296f8 148->151 149->148 150->151 152 77296ec 150->152 153 77296fa-77296fe 151->153 154 7729708-772970c 151->154 152->151 153->154 157 7729700 153->157 155 772971e-7729725 154->155 156 772970e-7729714 154->156 158 7729727-7729736 155->158 159 772973c 155->159 156->155 157->154 158->159 161 772973d 159->161 161->161
                                              APIs
                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0772962E
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2297912709.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7720000_skyT.jbxd
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: 71f3615400eb64a2d5a74606807f51c164b0312d39f3d921ef65987c134ffd76
                                              • Instruction ID: 23117b859fcf391fb547f9f9c763be8c27fdba5583e83fa67884f44b4c086084
                                              • Opcode Fuzzy Hash: 71f3615400eb64a2d5a74606807f51c164b0312d39f3d921ef65987c134ffd76
                                              • Instruction Fuzzy Hash: E7914CB1D00229CFEB10CF69C8407DDBBB2BF48354F188569E919B7280DB75A985DF91
                                              Function 02FBB208 Relevance: 1.7, APIs: 1, Instructions: 206COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 162 2fbb208-2fbb217 163 2fbb219-2fbb226 call 2fbabac 162->163 164 2fbb243-2fbb247 162->164 171 2fbb228 163->171 172 2fbb23c 163->172 165 2fbb25b-2fbb29c 164->165 166 2fbb249-2fbb253 164->166 173 2fbb2a9-2fbb2b7 165->173 174 2fbb29e-2fbb2a6 165->174 166->165 221 2fbb22e call 2fbb491 171->221 222 2fbb22e call 2fbb4a0 171->222 172->164 175 2fbb2db-2fbb2dd 173->175 176 2fbb2b9-2fbb2be 173->176 174->173 178 2fbb2e0-2fbb2e7 175->178 179 2fbb2c9 176->179 180 2fbb2c0-2fbb2c7 call 2fbabb8 176->180 177 2fbb234-2fbb236 177->172 181 2fbb378-2fbb3f4 177->181 182 2fbb2e9-2fbb2f1 178->182 183 2fbb2f4-2fbb2fb 178->183 185 2fbb2cb-2fbb2d9 179->185 180->185 212 2fbb420-2fbb438 181->212 213 2fbb3f6-2fbb41e 181->213 182->183 186 2fbb308-2fbb311 call 2fbabc8 183->186 187 2fbb2fd-2fbb305 183->187 185->178 193 2fbb31e-2fbb323 186->193 194 2fbb313-2fbb31b 186->194 187->186 195 2fbb341-2fbb345 193->195 196 2fbb325-2fbb32c 193->196 194->193 219 2fbb348 call 2fbb7a0 195->219 220 2fbb348 call 2fbb790 195->220 196->195 198 2fbb32e-2fbb33e call 2fbabd8 call 2fbabe8 196->198 198->195 199 2fbb34b-2fbb34e 202 2fbb371-2fbb377 199->202 203 2fbb350-2fbb36e 199->203 203->202 214 2fbb43a-2fbb43d 212->214 215 2fbb440-2fbb46b GetModuleHandleW 212->215 213->212 214->215 216 2fbb46d-2fbb473 215->216 217 2fbb474-2fbb488 215->217 216->217 219->199 220->199 221->177 222->177
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 02FBB45E
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2293874364.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_2fb0000_skyT.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: 80423d9eb4151c48e09bd52075b812d4ac233471584e8ffef8831d29149b48e9
                                              • Instruction ID: 404e27418f85a963568cb9a63b1a56e38422a83c6f04b3979e813a57802def3f
                                              • Opcode Fuzzy Hash: 80423d9eb4151c48e09bd52075b812d4ac233471584e8ffef8831d29149b48e9
                                              • Instruction Fuzzy Hash: 73814570A00B098FDB25DF6AC54579ABBF2FF88348F00892ED55A9BA40D775A845CB90
                                              Function 02FB5D1C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 223 2fb5d1c-2fb5de9 CreateActCtxA 225 2fb5deb-2fb5df1 223->225 226 2fb5df2-2fb5e4c 223->226 225->226 233 2fb5e5b-2fb5e5f 226->233 234 2fb5e4e-2fb5e51 226->234 235 2fb5e61-2fb5e6d 233->235 236 2fb5e70 233->236 234->233 235->236 238 2fb5e71 236->238 238->238
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 02FB5DD9
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2293874364.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_2fb0000_skyT.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: 1aea1d9cd4e999109dc2653b22fc4abc1ff1a7c3e3be0ea750c0573b515f4885
                                              • Instruction ID: a8802b038aa8c802655891b85951495fc5daf009fd23d54ad35cc183ca1f9b34
                                              • Opcode Fuzzy Hash: 1aea1d9cd4e999109dc2653b22fc4abc1ff1a7c3e3be0ea750c0573b515f4885
                                              • Instruction Fuzzy Hash: F141EFB0C0071DCBEB25CFAAC984BCEBBB5BF48704F60816AD509AB251DB756946CF50
                                              Function 02FB4874 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 239 2fb4874-2fb5de9 CreateActCtxA 242 2fb5deb-2fb5df1 239->242 243 2fb5df2-2fb5e4c 239->243 242->243 250 2fb5e5b-2fb5e5f 243->250 251 2fb5e4e-2fb5e51 243->251 252 2fb5e61-2fb5e6d 250->252 253 2fb5e70 250->253 251->250 252->253 255 2fb5e71 253->255 255->255
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 02FB5DD9
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2293874364.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_2fb0000_skyT.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: 45a631f5d0a41c0ed6745b3f216298e3ab18627ea2329ccc101e0f8294bc2f08
                                              • Instruction ID: 534e78316686a6a13a66403a5d0e9f46eff4848c2479b2fe948d970031dc4ea4
                                              • Opcode Fuzzy Hash: 45a631f5d0a41c0ed6745b3f216298e3ab18627ea2329ccc101e0f8294bc2f08
                                              • Instruction Fuzzy Hash: A7410070C0071DCBEB25CFAAC984BDEBBB5BF48304F60816AD509AB251DB756945CF90
                                              Function 07728D68 Relevance: 1.6, APIs: 1, Instructions: 74injectionCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 256 7728d68-7728d6a 257 7728d73-7728dbe 256->257 258 7728d6c-7728d71 256->258 261 7728dc0-7728dcc 257->261 262 7728dce-7728e0d WriteProcessMemory 257->262 258->257 261->262 264 7728e16-7728e46 262->264 265 7728e0f-7728e15 262->265 265->264
                                              APIs
                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07728E00
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2297912709.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7720000_skyT.jbxd
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID:
                                              • API String ID: 3559483778-0
                                              • Opcode ID: 43370739c9238b7172219b75b89499c3278e7c3b56d90ef332099e4aed49dcef
                                              • Instruction ID: 8d44578b106a0024fd050bb616b78fa994f3e6c7fe78c3609ec1839e4c052f96
                                              • Opcode Fuzzy Hash: 43370739c9238b7172219b75b89499c3278e7c3b56d90ef332099e4aed49dcef
                                              • Instruction Fuzzy Hash: 4C216BB19003199FDF10CFA9C8817EEBBF5FF48320F10882AE518A7241C7799954CBA5
                                              Function 07728D70 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 269 7728d70-7728dbe 272 7728dc0-7728dcc 269->272 273 7728dce-7728e0d WriteProcessMemory 269->273 272->273 275 7728e16-7728e46 273->275 276 7728e0f-7728e15 273->276 276->275
                                              APIs
                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07728E00
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2297912709.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7720000_skyT.jbxd
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID:
                                              • API String ID: 3559483778-0
                                              • Opcode ID: 6d78523c40a65031a21588d1c6c77e0a3dfee8f0e58583d53fca2d03cb5dc947
                                              • Instruction ID: f2bf98a29782a79ec3b906c5272d662f327e91da151e829c9827691e85978bd9
                                              • Opcode Fuzzy Hash: 6d78523c40a65031a21588d1c6c77e0a3dfee8f0e58583d53fca2d03cb5dc947
                                              • Instruction Fuzzy Hash: B72126B19003599FDB10CFAAC881BDEBBF5FF48310F10882AE919A7241C7799954DBA5
                                              Function 07728E58 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 280 7728e58-7728e5a 281 7728e63-7728eed ReadProcessMemory 280->281 282 7728e5c-7728e61 280->282 286 7728ef6-7728f26 281->286 287 7728eef-7728ef5 281->287 282->281 287->286
                                              APIs
                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07728EE0
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2297912709.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7720000_skyT.jbxd
                                              Similarity
                                              • API ID: MemoryProcessRead
                                              • String ID:
                                              • API String ID: 1726664587-0
                                              • Opcode ID: ed7b0fa26eb4b1034211821eb4d6e13890fd546effa1332b3da9816034035efb
                                              • Instruction ID: b1258f936a34dba5053aa32af8a9f9517281b724c1a604d698b9e45642299caa
                                              • Opcode Fuzzy Hash: ed7b0fa26eb4b1034211821eb4d6e13890fd546effa1332b3da9816034035efb
                                              • Instruction Fuzzy Hash: 1C213BB1D003599FDB10CFAAC8417EEBBF5FF48320F10842AE519A7240CB799540DBA5
                                              Function 07728BD3 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 291 7728bd3-7728c23 294 7728c33-7728c63 Wow64SetThreadContext 291->294 295 7728c25-7728c31 291->295 297 7728c65-7728c6b 294->297 298 7728c6c-7728c9c 294->298 295->294 297->298
                                              APIs
                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07728C56
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2297912709.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7720000_skyT.jbxd
                                              Similarity
                                              • API ID: ContextThreadWow64
                                              • String ID:
                                              • API String ID: 983334009-0
                                              • Opcode ID: 893460f84db88ba71accf20f9b7917934b5d3f4945645d357201fc926ee67a1e
                                              • Instruction ID: 0955cfa60445b7131ac51bb1127ed0257bdf3281086e100cef87843bcb4860e2
                                              • Opcode Fuzzy Hash: 893460f84db88ba71accf20f9b7917934b5d3f4945645d357201fc926ee67a1e
                                              • Instruction Fuzzy Hash: C6216AB19003198FDB10DFAAC4817EEBBF4EF88320F14842AD519A7240CB789585CFA5
                                              Function 07728E60 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 312 7728e60-7728eed ReadProcessMemory 316 7728ef6-7728f26 312->316 317 7728eef-7728ef5 312->317 317->316
                                              APIs
                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07728EE0
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2297912709.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7720000_skyT.jbxd
                                              Similarity
                                              • API ID: MemoryProcessRead
                                              • String ID:
                                              • API String ID: 1726664587-0
                                              • Opcode ID: 608dffd51c05f7874d6b610ddec91495caa5aa8b866d8b65c4cec00f703da68d
                                              • Instruction ID: 595af1b186bacc73cbb8f57c21c1db4860b6e398d4bedcbc9bfab99c5158a8d4
                                              • Opcode Fuzzy Hash: 608dffd51c05f7874d6b610ddec91495caa5aa8b866d8b65c4cec00f703da68d
                                              • Instruction Fuzzy Hash: D12128B1C003599FDB10DFAAC881BDEBBF5FF48320F10842AE519A7250C7799550DBA5
                                              Function 07728BD8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 302 7728bd8-7728c23 304 7728c33-7728c63 Wow64SetThreadContext 302->304 305 7728c25-7728c31 302->305 307 7728c65-7728c6b 304->307 308 7728c6c-7728c9c 304->308 305->304 307->308
                                              APIs
                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07728C56
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2297912709.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7720000_skyT.jbxd
                                              Similarity
                                              • API ID: ContextThreadWow64
                                              • String ID:
                                              • API String ID: 983334009-0
                                              • Opcode ID: 28480cd75eb48cd09b7c98278a6483469860d9f79280d0335959589dc5272edc
                                              • Instruction ID: d59a508b29cb709d57ea79d840322dd56a6c858228c37e2455cd3373138b217c
                                              • Opcode Fuzzy Hash: 28480cd75eb48cd09b7c98278a6483469860d9f79280d0335959589dc5272edc
                                              • Instruction Fuzzy Hash: AA2149B1D003198FDB10DFAAC4857EEBBF4EF88320F14842AD519A7241CB79A945CFA5
                                              Function 02FBD6E8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 321 2fbd6e8-2fbd77c DuplicateHandle 322 2fbd77e-2fbd784 321->322 323 2fbd785-2fbd7a2 321->323 322->323
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02FBD76F
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2293874364.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_2fb0000_skyT.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 742d8abe2407e21d116fff21b821f2b9c47129adfefbf61873bb6607e6b1c001
                                              • Instruction ID: cfd95d51b804b3d016df0d1c4a3283c05c987d00b5eb7a9ec734bc31a38eeac0
                                              • Opcode Fuzzy Hash: 742d8abe2407e21d116fff21b821f2b9c47129adfefbf61873bb6607e6b1c001
                                              • Instruction Fuzzy Hash: 5521E4B59002099FDB10CFAAD984ADEBFF4FF48320F24841AE914A3310D375A954CF61
                                              Function 02FBD6E1 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 326 2fbd6e1-2fbd77c DuplicateHandle 327 2fbd77e-2fbd784 326->327 328 2fbd785-2fbd7a2 326->328 327->328
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02FBD76F
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2293874364.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_2fb0000_skyT.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 11cafc8cccc5b144942f32745d396a54f89121a1ecfcc11e012d59b7f526e5c8
                                              • Instruction ID: 48b24cb89164cfe53dca75614933cca874373a4c6c9a0ffd7ad90d4edd5d7bd6
                                              • Opcode Fuzzy Hash: 11cafc8cccc5b144942f32745d396a54f89121a1ecfcc11e012d59b7f526e5c8
                                              • Instruction Fuzzy Hash: 1D21B3B5D002099FDB10CFAAD584AEEBBF5AF48324F24841AE914A7250D379A954CF61
                                              Function 07728CA8 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07728D1E
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2297912709.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7720000_skyT.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: 3280b23d096a4ca7aefb0f14259f9e5ef637662230dc5097da1221c8e24b1b43
                                              • Instruction ID: 12c04d6ad58c56dd4b03986cbaea419d9c6594b059702d685fec92a2b55f6177
                                              • Opcode Fuzzy Hash: 3280b23d096a4ca7aefb0f14259f9e5ef637662230dc5097da1221c8e24b1b43
                                              • Instruction Fuzzy Hash: E9116AB18003499FDB10CFAAC840BDFBBF5AF48320F108819E515A7210C775A550CFA1
                                              Function 02FBAC10 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02FBB4D9,00000800,00000000,00000000), ref: 02FBB6EA
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2293874364.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_2fb0000_skyT.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 455eda6ee06710506bba34e9d91410cb5d3245faf17f7f3d568d6da99d1b79a3
                                              • Instruction ID: 430fc1b50edd495927069c5b9131d0e1364bd4117341f29aa3495f8cc54c522d
                                              • Opcode Fuzzy Hash: 455eda6ee06710506bba34e9d91410cb5d3245faf17f7f3d568d6da99d1b79a3
                                              • Instruction Fuzzy Hash: 4E1106B6D003499FDB10CFAAC844BDEFBF5AF48324F10845AD915A7200C3B5A944CFA5
                                              Function 07728B20 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2297912709.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7720000_skyT.jbxd
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID:
                                              • API String ID: 947044025-0
                                              • Opcode ID: 2ab670ece5ad487d7f7c1bf4fd1e4fbe07f45a740470892837e7a989e7a64ec6
                                              • Instruction ID: 89e4e9725fb5a3055e0f1d31aae9093060db940af6c342d4c5eb7d355b37bdd9
                                              • Opcode Fuzzy Hash: 2ab670ece5ad487d7f7c1bf4fd1e4fbe07f45a740470892837e7a989e7a64ec6
                                              • Instruction Fuzzy Hash: 57118BB19003498FDB10DFAAC4457EEFBF4AF88320F14881ED119A7240CB76A445CBA5
                                              Function 02FBB679 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02FBB4D9,00000800,00000000,00000000), ref: 02FBB6EA
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2293874364.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_2fb0000_skyT.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 6b6e0fb93cefe52e3814914d5fd8c6ac8c6f94f87ef62064f7cce481ae0352c0
                                              • Instruction ID: eb9d359651f9c1ec42e278bc07526db1d519d9e9cee70b3270dca7b120d0240a
                                              • Opcode Fuzzy Hash: 6b6e0fb93cefe52e3814914d5fd8c6ac8c6f94f87ef62064f7cce481ae0352c0
                                              • Instruction Fuzzy Hash: 1B1114B6D002498FDB10CFAAC484BDEFBF5EF48324F10845AD919A7210C3B5A545CFA5
                                              Function 07728CB0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07728D1E
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2297912709.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7720000_skyT.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: f0d82c509577f38bb98ec864dcbd833d6c76a627b6c7d7788cd301b6b8ef04f5
                                              • Instruction ID: be3ada85107427db2ffc411773d099843e06af4112a889dd39831e63293ceb18
                                              • Opcode Fuzzy Hash: f0d82c509577f38bb98ec864dcbd833d6c76a627b6c7d7788cd301b6b8ef04f5
                                              • Instruction Fuzzy Hash: 811126729002499FDB10DFAAC845BDFBBF5AF88320F148819E519A7250CB76A954CFA1
                                              Function 0772CF81 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                              Download Yara Rule
                                              APIs
                                              • FindCloseChangeNotification.KERNELBASE(?), ref: 0772CFE0
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2297912709.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7720000_skyT.jbxd
                                              Similarity
                                              • API ID: ChangeCloseFindNotification
                                              • String ID:
                                              • API String ID: 2591292051-0
                                              • Opcode ID: c3e6f74bea64285c84c8f2f1a193dca8cb808eaf0f67ca75490bfd7c955cabe6
                                              • Instruction ID: 537168f52da449a6dba067614f0adce4600b51dffc6f3aa062323bcbb973fe66
                                              • Opcode Fuzzy Hash: c3e6f74bea64285c84c8f2f1a193dca8cb808eaf0f67ca75490bfd7c955cabe6
                                              • Instruction Fuzzy Hash: D71155B2800349CFCB20CFAAC444BEEBFF4EB48320F20845AD558A7241D779A584CFA5
                                              Function 07728B28 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2297912709.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7720000_skyT.jbxd
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID:
                                              • API String ID: 947044025-0
                                              • Opcode ID: ec3de0f513c8ebbec849a7065fec1988512d66c08343ffd7d5ebeb0ca7142da8
                                              • Instruction ID: 5a09253256fc083948b34cecf76dfd5fb00fd36034b4f707c384f166e6b81d48
                                              • Opcode Fuzzy Hash: ec3de0f513c8ebbec849a7065fec1988512d66c08343ffd7d5ebeb0ca7142da8
                                              • Instruction Fuzzy Hash: E8113AB19003498FDB10DFAAC44579FFBF5AF88724F24881DD519A7240CB75A544CB95
                                              Function 02FBB721 Relevance: 1.5, APIs: 1, Instructions: 49libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02FBB4D9,00000800,00000000,00000000), ref: 02FBB6EA
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2293874364.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_2fb0000_skyT.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 6fd65e55fcd8992b81fe2fda5c354dfe8bd26541b2fdcb05e2bdcbc33f0366b3
                                              • Instruction ID: 8c72e2a2fb243f0f84903c54b007ca5d757feea1e237f821c41d0e780428c6f5
                                              • Opcode Fuzzy Hash: 6fd65e55fcd8992b81fe2fda5c354dfe8bd26541b2fdcb05e2bdcbc33f0366b3
                                              • Instruction Fuzzy Hash: E001F5719043088FDB11CFA9D8447DABBF4EF56328F14409AD604D7250C3B59405CFA5
                                              Function 07729078 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 0772BDFD
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2297912709.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7720000_skyT.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: b3b8ca4a998eaf49d22ab6a4b36017e52dc4196d9c5864b504b03d2020c70b80
                                              • Instruction ID: df17c25cf8830ec99dda9eb5c36a0e942f5ee4ca2185dfa66f06fccf40d0c0c1
                                              • Opcode Fuzzy Hash: b3b8ca4a998eaf49d22ab6a4b36017e52dc4196d9c5864b504b03d2020c70b80
                                              • Instruction Fuzzy Hash: CF11F2B58003599FDB20DF9AC444BDEBBF8EB48320F20845AE518A7211D3B5A954CFA5
                                              Function 0772CF88 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                              Download Yara Rule
                                              APIs
                                              • FindCloseChangeNotification.KERNELBASE(?), ref: 0772CFE0
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2297912709.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7720000_skyT.jbxd
                                              Similarity
                                              • API ID: ChangeCloseFindNotification
                                              • String ID:
                                              • API String ID: 2591292051-0
                                              • Opcode ID: 35f170042a5d7ae1c6edb9bdfb7168b4c5220e08e35669ea44026704a5efadc6
                                              • Instruction ID: 56abf61883f8d40bf120ec2a6a201dc41fd1b4a741c84c0a15e46eda9b08175b
                                              • Opcode Fuzzy Hash: 35f170042a5d7ae1c6edb9bdfb7168b4c5220e08e35669ea44026704a5efadc6
                                              • Instruction Fuzzy Hash: A71103B6800359CFDB10DF9AC545BDEBBF4EB48320F20841AD568A7241D779A544CFA5
                                              Function 02FBB3F8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 02FBB45E
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2293874364.0000000002FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02FB0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_2fb0000_skyT.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: c037390feb80b1af8ab08e210f513529359241bc0e58dd739733294da20a4924
                                              • Instruction ID: 8443331e4c92763e03bcf7fd84326bee1544e90d68bd67ce2f54d1d338af8c3e
                                              • Opcode Fuzzy Hash: c037390feb80b1af8ab08e210f513529359241bc0e58dd739733294da20a4924
                                              • Instruction Fuzzy Hash: B311DFB6C00649CFDB10CFAAC544BDEFBF4AF88628F10845AD919A7210D779A545CFA1
                                              Function 0772BD9B Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 0772BDFD
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2297912709.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_7720000_skyT.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: 63cac19354e53f4e4de57277376c2b6d491204602598c686112ff8a32f11a494
                                              • Instruction ID: f6f13f8ba9da1ee570d77a2033fb2ef1e88443e0c1b247bf2e89edba4c3bebba
                                              • Opcode Fuzzy Hash: 63cac19354e53f4e4de57277376c2b6d491204602598c686112ff8a32f11a494
                                              • Instruction Fuzzy Hash: 221103B5800349DFDB10DF9AC445BDEBBF4FB48320F20885AD918A7211D375A954CFA1
                                              Function 0172D4C4 Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2293519938.000000000172D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0172D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_172d000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1fdbd9893ec547b3869516a7298b83f186c29d930c94b62c4ea9bb61c141d413
                                              • Instruction ID: 0a6a4c43a898935897b5f02b7811449cffb6af26eafa723e8bd812fbf56a8360
                                              • Opcode Fuzzy Hash: 1fdbd9893ec547b3869516a7298b83f186c29d930c94b62c4ea9bb61c141d413
                                              • Instruction Fuzzy Hash: CC2103B2504240EFDB25DF55D9C0B26FF65FB88318F30C5ADE9090B256C376D456CAA1
                                              Function 0173D01C Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2293571024.000000000173D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_173d000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 91f6d34748c4afe14649e3ac969f02e128ab585b1a83990b825e509113037428
                                              • Instruction ID: d4639644c058af67e9edcd4190eb71dc7029270a816b10fb9b61d4fce9ee0235
                                              • Opcode Fuzzy Hash: 91f6d34748c4afe14649e3ac969f02e128ab585b1a83990b825e509113037428
                                              • Instruction Fuzzy Hash: C92100B5604204EFDB25DFA4D9C0B26FB65FBC8B14F60C5ADE94A0B253C37AD406CA61
                                              Function 0172D4BF Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2293519938.000000000172D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0172D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_172d000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                              • Instruction ID: 9eb18a174c45a1da3eeece63996d3909d0731fa008ecd80f1dd6adbaea44d3be
                                              • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                              • Instruction Fuzzy Hash: 8711CD76404280CFCB12CF54D5C0B16BF62FB84218F34C6A9D8090B256C33AD456CBA1
                                              Function 0173D017 Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2293571024.000000000173D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0173D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_173d000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                              • Instruction ID: 6e88b6faf8e80bd97ec7941f5cf75dbd5b588579d9cfd646fd0d5455cb7e3274
                                              • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                              • Instruction Fuzzy Hash: BF11DD76504284CFCB22CF54D5C4B15FFA2FB88714F24C6AAD8494B657C33AD40ACBA2
                                              Function 0172D759 Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2293519938.000000000172D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0172D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_172d000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6cbd9661e4a5e2411f661a1678f8b065fa8be0e4c96e68d56f4e1451b3661ca2
                                              • Instruction ID: 6346fb9b002b2350e30b959ed7a495fbafd56fc374509e39b5ac9a9e273e89d2
                                              • Opcode Fuzzy Hash: 6cbd9661e4a5e2411f661a1678f8b065fa8be0e4c96e68d56f4e1451b3661ca2
                                              • Instruction Fuzzy Hash: F901F2710043949AF7204AAACD80B66FF98EF41320F18845AEE094A397C7BC9841C6B2
                                              Function 0172D758 Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000006.00000002.2293519938.000000000172D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0172D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_6_2_172d000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 371473835d98bb43560857a59460a5bfecfd737161dd6c24b1dd9bce1a55dd5d
                                              • Instruction ID: 8b2d3862459095de06bc5eef3917c102752c2ca4170db82acf6661e565811620
                                              • Opcode Fuzzy Hash: 371473835d98bb43560857a59460a5bfecfd737161dd6c24b1dd9bce1a55dd5d
                                              • Instruction Fuzzy Hash: F0F0C2714053949EE7208A5ADC84B62FFA8EF50734F18C45AED080B387C379A844CAB1

                                              Execution Graph

                                              Execution Coverage:11.8%
                                              Dynamic/Decrypted Code Coverage:93.9%
                                              Signature Coverage:0%
                                              Total number of Nodes:231
                                              Total number of Limit Nodes:22
                                              execution_graph 25024 6388978 25025 63889e0 CreateWindowExW 25024->25025 25027 6388a9c 25025->25027 25028 638c6d8 DuplicateHandle 25029 638c76e 25028->25029 25113 638fe08 25114 638fe4c SetWindowsHookExA 25113->25114 25116 638fe92 25114->25116 25117 638796e 25118 638790d GetModuleHandleW 25117->25118 25121 6387976 25117->25121 25120 6387945 25118->25120 25121->25121 25122 145d01c 25123 145d034 25122->25123 25124 145d08e 25123->25124 25130 6386c2c 25123->25130 25138 6388b22 25123->25138 25144 638d2b2 25123->25144 25152 6388b30 25123->25152 25158 6386c1c 25123->25158 25131 6386c37 25130->25131 25132 638d341 25131->25132 25134 638d331 25131->25134 25174 638c28c 25132->25174 25162 638d468 25134->25162 25168 638d458 25134->25168 25135 638d33f 25139 6388b56 25138->25139 25140 6386c1c GetModuleHandleW 25139->25140 25141 6388b62 25140->25141 25142 6386c2c 3 API calls 25141->25142 25143 6388b77 25142->25143 25143->25124 25145 638d2ba 25144->25145 25146 638d341 25145->25146 25148 638d331 25145->25148 25147 638c28c 3 API calls 25146->25147 25149 638d33f 25147->25149 25150 638d468 3 API calls 25148->25150 25151 638d458 3 API calls 25148->25151 25150->25149 25151->25149 25153 6388b56 25152->25153 25154 6386c1c GetModuleHandleW 25153->25154 25155 6388b62 25154->25155 25156 6386c2c 3 API calls 25155->25156 25157 6388b77 25156->25157 25157->25124 25159 6386c27 25158->25159 25291 6386c54 25159->25291 25161 6388c67 25161->25124 25164 638d476 25162->25164 25163 638c28c 3 API calls 25163->25164 25164->25163 25165 638d55a 25164->25165 25181 638d939 25164->25181 25186 638d948 25164->25186 25165->25135 25170 638d466 25168->25170 25169 638c28c 3 API calls 25169->25170 25170->25169 25171 638d55a 25170->25171 25172 638d948 2 API calls 25170->25172 25173 638d939 2 API calls 25170->25173 25171->25135 25172->25170 25173->25170 25175 638c297 25174->25175 25176 638d65c 25175->25176 25177 638d5b2 25175->25177 25178 6386c2c 2 API calls 25176->25178 25179 638d60a CallWindowProcW 25177->25179 25180 638d5b9 25177->25180 25178->25180 25179->25180 25180->25135 25182 638d93e 25181->25182 25183 638d92e 25182->25183 25191 638debf 25182->25191 25219 638df00 25182->25219 25183->25164 25188 638d954 25186->25188 25187 638d92e 25187->25164 25188->25187 25189 638debf 2 API calls 25188->25189 25190 638df00 2 API calls 25188->25190 25189->25188 25190->25188 25192 638ded5 25191->25192 25193 638df37 25192->25193 25196 638deda 25192->25196 25194 638df75 25193->25194 25199 638dfb9 25193->25199 25207 638df38 2 API calls 25194->25207 25208 638df48 2 API calls 25194->25208 25209 638debf 2 API calls 25194->25209 25195 638df1c 25195->25182 25196->25195 25212 638debf 2 API calls 25196->25212 25226 638df38 25196->25226 25247 638df48 25196->25247 25197 638df7b 25197->25182 25198 638df31 25198->25182 25214 638df38 2 API calls 25199->25214 25215 638df48 2 API calls 25199->25215 25216 638debf 2 API calls 25199->25216 25268 638e0e8 25199->25268 25200 638e035 25201 638e049 25200->25201 25203 638e039 25200->25203 25272 638e200 25201->25272 25276 638e210 25201->25276 25202 638e057 25202->25182 25206 638e043 25203->25206 25280 638db80 25203->25280 25206->25182 25207->25197 25208->25197 25209->25197 25212->25198 25214->25200 25215->25200 25216->25200 25220 638df08 25219->25220 25221 638df1c 25220->25221 25223 638df38 2 API calls 25220->25223 25224 638df48 2 API calls 25220->25224 25225 638debf 2 API calls 25220->25225 25221->25182 25222 638df31 25222->25182 25223->25222 25224->25222 25225->25222 25227 638df5a 25226->25227 25228 638df75 25227->25228 25230 638dfb9 25227->25230 25242 638df38 2 API calls 25228->25242 25243 638df48 2 API calls 25228->25243 25244 638debf 2 API calls 25228->25244 25229 638df7b 25229->25198 25238 638e0e8 OleInitialize 25230->25238 25239 638df38 2 API calls 25230->25239 25240 638df48 2 API calls 25230->25240 25241 638debf 2 API calls 25230->25241 25231 638e035 25232 638e049 25231->25232 25234 638e039 25231->25234 25245 638e210 OleGetClipboard 25232->25245 25246 638e200 OleGetClipboard 25232->25246 25233 638e057 25233->25198 25235 638db80 OleInitialize 25234->25235 25237 638e043 25234->25237 25236 638e109 25235->25236 25236->25198 25237->25198 25238->25231 25239->25231 25240->25231 25241->25231 25242->25229 25243->25229 25244->25229 25245->25233 25246->25233 25248 638df5a 25247->25248 25249 638df75 25248->25249 25251 638dfb9 25248->25251 25263 638df38 2 API calls 25249->25263 25264 638df48 2 API calls 25249->25264 25265 638debf 2 API calls 25249->25265 25250 638df7b 25250->25198 25259 638e0e8 OleInitialize 25251->25259 25260 638df38 2 API calls 25251->25260 25261 638df48 2 API calls 25251->25261 25262 638debf 2 API calls 25251->25262 25252 638e035 25253 638e049 25252->25253 25255 638e039 25252->25255 25266 638e210 OleGetClipboard 25253->25266 25267 638e200 OleGetClipboard 25253->25267 25254 638e057 25254->25198 25256 638db80 OleInitialize 25255->25256 25258 638e043 25255->25258 25257 638e109 25256->25257 25257->25198 25258->25198 25259->25252 25260->25252 25261->25252 25262->25252 25263->25250 25264->25250 25265->25250 25266->25254 25267->25254 25269 638e100 25268->25269 25270 638db80 OleInitialize 25269->25270 25271 638e109 25270->25271 25271->25200 25274 638e210 25272->25274 25275 638e24b 25274->25275 25284 638dca8 25274->25284 25275->25202 25278 638e225 25276->25278 25277 638dca8 OleGetClipboard 25277->25278 25278->25277 25279 638e24b 25278->25279 25279->25202 25281 638db8b 25280->25281 25283 638e109 25281->25283 25288 638db90 25281->25288 25283->25182 25285 638e2b8 OleGetClipboard 25284->25285 25287 638e352 25285->25287 25289 638e170 OleInitialize 25288->25289 25290 638e1d4 25289->25290 25290->25283 25292 6386c5f 25291->25292 25293 6385e34 GetModuleHandleW 25292->25293 25294 6388cc9 25293->25294 25295 6385e44 GetModuleHandleW 25294->25295 25296 6388d37 25294->25296 25295->25296 25296->25161 25030 2c50848 25032 2c5084e 25030->25032 25031 2c5091b 25032->25031 25034 2c51380 25032->25034 25035 2c51396 25034->25035 25036 2c51490 25035->25036 25039 63858e8 25035->25039 25045 63858d3 25035->25045 25036->25032 25040 63858fa 25039->25040 25043 63859ab 25040->25043 25051 63803a4 25040->25051 25042 6385971 25056 63803c4 25042->25056 25043->25035 25046 63858e8 25045->25046 25047 63803a4 GetModuleHandleW 25046->25047 25049 63859ab 25046->25049 25048 6385971 25047->25048 25050 63803c4 KiUserCallbackDispatcher 25048->25050 25049->25035 25050->25049 25052 63803af 25051->25052 25060 6386ea8 25052->25060 25069 6386e99 25052->25069 25053 6385f52 25053->25042 25057 63803cf 25056->25057 25059 638d893 25057->25059 25109 638c2e4 25057->25109 25059->25043 25061 6386ed3 25060->25061 25078 6385e34 25061->25078 25064 6386f56 25066 6386f82 25064->25066 25089 6385e44 25064->25089 25068 6385e34 GetModuleHandleW 25068->25064 25070 6386ed3 25069->25070 25071 6385e34 GetModuleHandleW 25070->25071 25072 6386f3a 25071->25072 25076 6387379 GetModuleHandleW 25072->25076 25077 6385e34 GetModuleHandleW 25072->25077 25073 6386f56 25074 6385e44 GetModuleHandleW 25073->25074 25075 6386f82 25073->25075 25074->25075 25076->25073 25077->25073 25079 6385e3f 25078->25079 25080 6386f3a 25079->25080 25093 63875ef 25079->25093 25101 6387683 25079->25101 25080->25068 25083 6387379 25080->25083 25084 6387393 25083->25084 25085 6387397 25083->25085 25084->25064 25086 63874ce 25085->25086 25087 63875ef GetModuleHandleW 25085->25087 25088 6387683 GetModuleHandleW 25085->25088 25087->25086 25088->25086 25090 63878d0 GetModuleHandleW 25089->25090 25092 6387945 25090->25092 25092->25066 25094 63875fa 25093->25094 25095 6385e44 GetModuleHandleW 25094->25095 25096 638771a 25095->25096 25097 6385e44 GetModuleHandleW 25096->25097 25099 6387794 25096->25099 25098 6387768 25097->25098 25098->25099 25100 6385e44 GetModuleHandleW 25098->25100 25099->25080 25100->25099 25102 63876af 25101->25102 25103 6385e44 GetModuleHandleW 25102->25103 25104 638771a 25103->25104 25105 6385e44 GetModuleHandleW 25104->25105 25108 6387794 25104->25108 25106 6387768 25105->25106 25107 6385e44 GetModuleHandleW 25106->25107 25106->25108 25107->25108 25108->25080 25110 638d8a8 KiUserCallbackDispatcher 25109->25110 25112 638d916 25110->25112 25112->25057

                                              Executed Functions

                                              Function 02C59628 Relevance: 2.9, Instructions: 2885COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4573124673.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2c50000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 79aa7837909f5316db0416197d57c63dac9ff182a51a895fd2dfaf4def502504
                                              • Instruction ID: 569efa6fbcd90bdd25905cde27b4c8d70784d936f71a3c305d8101df6515c343
                                              • Opcode Fuzzy Hash: 79aa7837909f5316db0416197d57c63dac9ff182a51a895fd2dfaf4def502504
                                              • Instruction Fuzzy Hash: A863F831D10B1A8ADB11EF68C884A99F7B1FF99310F15D79AE44877121EB70AAC5CF81
                                              Function 02C5CAE8 Relevance: 2.3, Instructions: 2295COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4573124673.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2c50000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 67471b95b5c7a461912ffa136808caa007a3a2dc2e216d29766d961cc59b5c1b
                                              • Instruction ID: a30fc47b114a2965db81949bd8984c60729991b7f6e26a7a9ec7ec3f4ad903af
                                              • Opcode Fuzzy Hash: 67471b95b5c7a461912ffa136808caa007a3a2dc2e216d29766d961cc59b5c1b
                                              • Instruction Fuzzy Hash: 36332D31D10B598EDB11EF68C8846ADF7B1FF99300F14D69AE449A7211EB70EAC5CB81
                                              Function 02C591D8 Relevance: .3, Instructions: 347COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4573124673.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2c50000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b8f5551619a36ace8fa2161b8fca10c6d771d8a3252b073fadd05b0a4e804aa7
                                              • Instruction ID: bbe6b4dcaea19990c02bff7c3cdced67945926e777f4257f945f943021a4aaf0
                                              • Opcode Fuzzy Hash: b8f5551619a36ace8fa2161b8fca10c6d771d8a3252b073fadd05b0a4e804aa7
                                              • Instruction Fuzzy Hash: 04C1AE70A00215CFDB14CFA9D8807AEB7B6FF88310F1485AAE909DB395DB74D981CB95
                                              Function 02C58E5C Relevance: .3, Instructions: 343COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4573124673.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2c50000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9bedc2e78fd4fb350ade3999917a5214354e20462851054d98b087f118b62a88
                                              • Instruction ID: 8d6697913bf466d78b4145a72322e958287222e12fa4b11eab185134635e6f23
                                              • Opcode Fuzzy Hash: 9bedc2e78fd4fb350ade3999917a5214354e20462851054d98b087f118b62a88
                                              • Instruction Fuzzy Hash: 80D17F35A00225CFDB14DBA5D884AAEBBF6FF88310F144569E805EB394DB75DD81CB90
                                              Function 02C54AA8 Relevance: .3, Instructions: 266COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4573124673.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2c50000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 084db95b0c3f65fa6d92499c47b311ef368e685f3c9d649b95b84b7b2eda3132
                                              • Instruction ID: dd62d4ad8ef0e4605f0728db6a1ecafb10029571e511d62356e64b4166f9859c
                                              • Opcode Fuzzy Hash: 084db95b0c3f65fa6d92499c47b311ef368e685f3c9d649b95b84b7b2eda3132
                                              • Instruction Fuzzy Hash: 0BB16C70E006298FDB28CFA9C88179DBBF2AF88714F148529D815E7294EB74D9C1CF95
                                              Function 02C53E90 Relevance: .2, Instructions: 238COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4573124673.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2c50000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e5b86a0f24feaf3f5b78e67fb876bf2a3a75916df07c2c2bbfe7af7ef8d76885
                                              • Instruction ID: 51636f022dd78245c5d71b3a7fed65a6d366a7cdb733f9fa18188f6b4d75e6ce
                                              • Opcode Fuzzy Hash: e5b86a0f24feaf3f5b78e67fb876bf2a3a75916df07c2c2bbfe7af7ef8d76885
                                              • Instruction Fuzzy Hash: 32917D70E00259CFDF24CFA9C98579EBBF2AF88714F148129E814A7254EB35D985CF89
                                              Function 0638796E Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 953 638796e-6387974 954 638790d-6387943 GetModuleHandleW 953->954 955 6387976-63879cf 953->955 959 638794c-6387960 954->959 960 6387945-638794b 954->960 957 6387a08-6387a56 955->957 958 63879d1-63879db 955->958 970 6387a58-6387a5e 957->970 971 6387a5f-6387a90 957->971 958->957 961 63879dd-63879df 958->961 960->959 963 63879e1-63879eb 961->963 964 6387a02-6387a05 961->964 966 63879ed 963->966 967 63879ef-63879fe 963->967 964->957 966->967 967->967 969 6387a00 967->969 969->964 970->971 974 6387aa0 971->974 975 6387a92-6387a96 971->975 977 6387aa1 974->977 975->974 976 6387a98 975->976 976->974 977->977
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 06387936
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4578750796.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_6380000_skyT.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: 48a7434d44e9b541bf35d9f928cf1e36a8efc128c9c7c9992ebb28550ffbde0a
                                              • Instruction ID: ba76abeb15df40ce4ebf229d4397ddd54e20bad1944ef0f33cb87e95cea4f978
                                              • Opcode Fuzzy Hash: 48a7434d44e9b541bf35d9f928cf1e36a8efc128c9c7c9992ebb28550ffbde0a
                                              • Instruction Fuzzy Hash: BF4151B1D103498FCB54DFA8C884BDEBBF2AB08310F20852AE819A7340D3789549CFA1
                                              Function 06388972 Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 978 6388972-63889de 979 63889e9-63889f0 978->979 980 63889e0-63889e6 978->980 981 63889fb-6388a33 979->981 982 63889f2-63889f8 979->982 980->979 983 6388a3b-6388a9a CreateWindowExW 981->983 982->981 984 6388a9c-6388aa2 983->984 985 6388aa3-6388adb 983->985 984->985 989 6388ae8 985->989 990 6388add-6388ae0 985->990 991 6388ae9 989->991 990->989 991->991
                                              APIs
                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06388A8A
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4578750796.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_6380000_skyT.jbxd
                                              Similarity
                                              • API ID: CreateWindow
                                              • String ID:
                                              • API String ID: 716092398-0
                                              • Opcode ID: cfd842554e65b15957fc4aecd4674687bcca03514e669519a334b05529233584
                                              • Instruction ID: 4315056a64fc1706038d149d4d92c067164dc2708174651d083696f2eba6ce5b
                                              • Opcode Fuzzy Hash: cfd842554e65b15957fc4aecd4674687bcca03514e669519a334b05529233584
                                              • Instruction Fuzzy Hash: F751C0B1D00349DFDB14CF9AC884ADEBFB5BF48310F64862AE819AB250D7759945CF90
                                              Function 06388978 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 992 6388978-63889de 993 63889e9-63889f0 992->993 994 63889e0-63889e6 992->994 995 63889fb-6388a9a CreateWindowExW 993->995 996 63889f2-63889f8 993->996 994->993 998 6388a9c-6388aa2 995->998 999 6388aa3-6388adb 995->999 996->995 998->999 1003 6388ae8 999->1003 1004 6388add-6388ae0 999->1004 1005 6388ae9 1003->1005 1004->1003 1005->1005
                                              APIs
                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06388A8A
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4578750796.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_6380000_skyT.jbxd
                                              Similarity
                                              • API ID: CreateWindow
                                              • String ID:
                                              • API String ID: 716092398-0
                                              • Opcode ID: 4a23585613f945be647234830b89af9b1cd0d318cdd712a5ba0debed26786159
                                              • Instruction ID: 76c2f878e4085f408196507296466951f68a8f2d97b9cc7ab1e0f67943822d83
                                              • Opcode Fuzzy Hash: 4a23585613f945be647234830b89af9b1cd0d318cdd712a5ba0debed26786159
                                              • Instruction Fuzzy Hash: 5741BEB1D00349DFDB14DF9AC884ADEBBB5BF48310F64862AE819AB250D775A845CF90
                                              Function 0638C28C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1006 638c28c-638d5ac 1009 638d65c-638d67c call 6386c2c 1006->1009 1010 638d5b2-638d5b7 1006->1010 1018 638d67f-638d68c 1009->1018 1012 638d5b9-638d5f0 1010->1012 1013 638d60a-638d642 CallWindowProcW 1010->1013 1019 638d5f9-638d608 1012->1019 1020 638d5f2-638d5f8 1012->1020 1014 638d64b-638d65a 1013->1014 1015 638d644-638d64a 1013->1015 1014->1018 1015->1014 1019->1018 1020->1019
                                              APIs
                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 0638D631
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4578750796.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_6380000_skyT.jbxd
                                              Similarity
                                              • API ID: CallProcWindow
                                              • String ID:
                                              • API String ID: 2714655100-0
                                              • Opcode ID: 78702a2635f11aef6bdac20ebfae32c0333aec7611f6efd8becf41098f4111df
                                              • Instruction ID: e2ec526a6c483ea7069401a66c5719ef0b642d40bbe4812eba28cbdbfcdec5ee
                                              • Opcode Fuzzy Hash: 78702a2635f11aef6bdac20ebfae32c0333aec7611f6efd8becf41098f4111df
                                              • Instruction Fuzzy Hash: C94149B8900309CFDB54DF99C488AAABBF5FF88314F248449D519AB361D774A840CFA0
                                              Function 0638E2AC Relevance: 1.6, APIs: 1, Instructions: 79comclipboardCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1023 638e2ac-638e2b4 1024 638e300-638e308 1023->1024 1025 638e2b6-638e2ff 1023->1025 1027 638e312-638e350 OleGetClipboard 1024->1027 1025->1024 1028 638e359-638e3a7 1027->1028 1029 638e352-638e358 1027->1029 1034 638e3a9-638e3ad 1028->1034 1035 638e3b7 1028->1035 1029->1028 1034->1035 1036 638e3af 1034->1036 1037 638e3b8 1035->1037 1036->1035 1037->1037
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4578750796.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_6380000_skyT.jbxd
                                              Similarity
                                              • API ID: Clipboard
                                              • String ID:
                                              • API String ID: 220874293-0
                                              • Opcode ID: 737d89e781a97ac065c4147cc0abc0cc605b31263f1ef95d8e4522ff9ef91884
                                              • Instruction ID: 120a842e83c7980304f5a9c9a28127516735764b2565a60422604ca97b95faa9
                                              • Opcode Fuzzy Hash: 737d89e781a97ac065c4147cc0abc0cc605b31263f1ef95d8e4522ff9ef91884
                                              • Instruction Fuzzy Hash: D73101B0D00308DFDB54DF99C984BDEBBF5AB48714F248059E444AB3A0D7B4A845CBA5
                                              Function 0638DCA8 Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1038 638dca8-638e350 OleGetClipboard 1042 638e359-638e3a7 1038->1042 1043 638e352-638e358 1038->1043 1048 638e3a9-638e3ad 1042->1048 1049 638e3b7 1042->1049 1043->1042 1048->1049 1050 638e3af 1048->1050 1051 638e3b8 1049->1051 1050->1049 1051->1051
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4578750796.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_6380000_skyT.jbxd
                                              Similarity
                                              • API ID: Clipboard
                                              • String ID:
                                              • API String ID: 220874293-0
                                              • Opcode ID: 03721a8427f96d31731bdf8d29fe7cb7553edb7330c3926b0f005682300008fa
                                              • Instruction ID: d44f53adfde88f65aeec86c712704c05a5f71d636eb9742aee4ddda2dd89a0c5
                                              • Opcode Fuzzy Hash: 03721a8427f96d31731bdf8d29fe7cb7553edb7330c3926b0f005682300008fa
                                              • Instruction Fuzzy Hash: 42310FB0D01308DFEB50DF99C984BDEBBF5AB88714F248059E404BB3A0D7B4A845CBA5
                                              Function 0638C6D0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1052 638c6d0-638c76c DuplicateHandle 1053 638c76e-638c774 1052->1053 1054 638c775-638c792 1052->1054 1053->1054
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0638C75F
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4578750796.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_6380000_skyT.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 98a144d1957190538d52da5e4ae43feb461b007e873e4ee6a252faff3ea45402
                                              • Instruction ID: 848ca060333bd6450cbd34732b9c9ebb0d1c26a35796516de3344535b43752c5
                                              • Opcode Fuzzy Hash: 98a144d1957190538d52da5e4ae43feb461b007e873e4ee6a252faff3ea45402
                                              • Instruction Fuzzy Hash: CF21E5B59002499FDB10CFA9D984ADEBFF5EB48310F24845AE914A3350D374A954CFA4
                                              Function 0638C6D8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1057 638c6d8-638c76c DuplicateHandle 1058 638c76e-638c774 1057->1058 1059 638c775-638c792 1057->1059 1058->1059
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0638C75F
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4578750796.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_6380000_skyT.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 85c6e74ddf20f0d312d204f6d26e1bcf66c5e1535ea2a63adb7477fcf6fde665
                                              • Instruction ID: b8a831595fb7695491451080f02b33b346c13821afcbd11fd1e6ea2c9c9bbf23
                                              • Opcode Fuzzy Hash: 85c6e74ddf20f0d312d204f6d26e1bcf66c5e1535ea2a63adb7477fcf6fde665
                                              • Instruction Fuzzy Hash: E921E4B5900349AFDB10CFAAD984ADEBBF4FB48320F14841AE914A3310D374A954CFA4
                                              Function 0638FE01 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1062 638fe01-638fe52 1065 638fe5e-638fe90 SetWindowsHookExA 1062->1065 1066 638fe54-638fe5c 1062->1066 1067 638fe99-638feb9 1065->1067 1068 638fe92-638fe98 1065->1068 1066->1065 1068->1067
                                              APIs
                                              • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 0638FE83
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4578750796.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_6380000_skyT.jbxd
                                              Similarity
                                              • API ID: HookWindows
                                              • String ID:
                                              • API String ID: 2559412058-0
                                              • Opcode ID: 8f545eda4ab9f41d5781e48cdec0e687aca660eabfb61ddccd3327b255518669
                                              • Instruction ID: 657e8fac3873023dad46457049b4ba4dfc17776592e8583badc3de2820efb3df
                                              • Opcode Fuzzy Hash: 8f545eda4ab9f41d5781e48cdec0e687aca660eabfb61ddccd3327b255518669
                                              • Instruction Fuzzy Hash: 072134B1D0034A9FDB10DFAAC844BEEFBF5AF88320F10842AD458A7250C774A944CFA1
                                              Function 0638FE08 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1072 638fe08-638fe52 1074 638fe5e-638fe90 SetWindowsHookExA 1072->1074 1075 638fe54-638fe5c 1072->1075 1076 638fe99-638feb9 1074->1076 1077 638fe92-638fe98 1074->1077 1075->1074 1077->1076
                                              APIs
                                              • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 0638FE83
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4578750796.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_6380000_skyT.jbxd
                                              Similarity
                                              • API ID: HookWindows
                                              • String ID:
                                              • API String ID: 2559412058-0
                                              • Opcode ID: bf9b59616e549c733bbb8fc4115f0fd7819f284f237bae4f64b2c468ef129aca
                                              • Instruction ID: c20936f93b6aeef2d6e6b6bdf9172c8d67e826b894f6f80088f0de44ab0f7da2
                                              • Opcode Fuzzy Hash: bf9b59616e549c733bbb8fc4115f0fd7819f284f237bae4f64b2c468ef129aca
                                              • Instruction Fuzzy Hash: 342124B5D0024A9FDB54DF9AC844BEEFBF5BF88320F10842AD418A7250CB75A944CFA1
                                              Function 06385E44 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1081 6385e44-6387910 1083 6387918-6387943 GetModuleHandleW 1081->1083 1084 6387912-6387915 1081->1084 1085 638794c-6387960 1083->1085 1086 6387945-638794b 1083->1086 1084->1083 1086->1085
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 06387936
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4578750796.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_6380000_skyT.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: 34ab00e8bb4f0b6e10648a9a006618d1a2b121e67f158c17342cc4f96e908d49
                                              • Instruction ID: d8ae218feefea28da3ba72f759112d00f348c0662fd2d46495444bc163a5ce5d
                                              • Opcode Fuzzy Hash: 34ab00e8bb4f0b6e10648a9a006618d1a2b121e67f158c17342cc4f96e908d49
                                              • Instruction Fuzzy Hash: CE1102B6C007498FDB10DF9AC484BDEFBF5EB88224F24846AD429B7600D379A545CFA5
                                              Function 0638E169 Relevance: 1.5, APIs: 1, Instructions: 47comCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1088 638e169-638e16e 1089 638e170-638e1d2 OleInitialize 1088->1089 1090 638e1db-638e1f8 1089->1090 1091 638e1d4-638e1da 1089->1091 1091->1090
                                              APIs
                                              • OleInitialize.OLE32(00000000), ref: 0638E1C5
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4578750796.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_6380000_skyT.jbxd
                                              Similarity
                                              • API ID: Initialize
                                              • String ID:
                                              • API String ID: 2538663250-0
                                              • Opcode ID: c83ebf32f207fac9296491b58cc37daff9a86175e3bf44c8bd7c5351583f9392
                                              • Instruction ID: aec073867d367c01f0a4afcc8c49c6efcc141f0c1fe9222e2e36f4094f0aa332
                                              • Opcode Fuzzy Hash: c83ebf32f207fac9296491b58cc37daff9a86175e3bf44c8bd7c5351583f9392
                                              • Instruction Fuzzy Hash: C01122B5900349CFCB20DFAAC884BDEFBF4EB48224F248859E558A7200D374A944CFA5
                                              Function 0638C2E4 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1100 638c2e4-638d914 KiUserCallbackDispatcher 1103 638d91d-638d931 1100->1103 1104 638d916-638d91c 1100->1104 1104->1103
                                              APIs
                                              • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,0638D87D), ref: 0638D907
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4578750796.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_6380000_skyT.jbxd
                                              Similarity
                                              • API ID: CallbackDispatcherUser
                                              • String ID:
                                              • API String ID: 2492992576-0
                                              • Opcode ID: e8376c9719ba6c91bc176b18b97b543372b726520262ce14d70f934568dad1bb
                                              • Instruction ID: 2045fe0a947da0510300c7b5b78a2f5bd6ad692af4160f7eb73f8bfa3240ad97
                                              • Opcode Fuzzy Hash: e8376c9719ba6c91bc176b18b97b543372b726520262ce14d70f934568dad1bb
                                              • Instruction Fuzzy Hash: 1D1122B58003498FDB60DF9AD484BDEBBF8EF48224F20845AD518A3240D3B8A944CFA5
                                              Function 0638DB90 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1107 638db90-638e1d2 OleInitialize 1109 638e1db-638e1f8 1107->1109 1110 638e1d4-638e1da 1107->1110 1110->1109
                                              APIs
                                              • OleInitialize.OLE32(00000000), ref: 0638E1C5
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4578750796.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_6380000_skyT.jbxd
                                              Similarity
                                              • API ID: Initialize
                                              • String ID:
                                              • API String ID: 2538663250-0
                                              • Opcode ID: e29a4167bb0b9e05663bf79844257a7d458f630d5c56bfc27c3ab77473f69f66
                                              • Instruction ID: 67c2b182ac7c69d6ab9f8e1bf32b6461bd6096b9a9db99ad08154fe4ea73f50c
                                              • Opcode Fuzzy Hash: e29a4167bb0b9e05663bf79844257a7d458f630d5c56bfc27c3ab77473f69f66
                                              • Instruction Fuzzy Hash: 3F1115B5900349CFDB60DF9AC884BDEBBF4EB48324F208459E519A7600D375A944CFA5
                                              Function 063878CD Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1094 63878cd-6387910 1095 6387918-6387943 GetModuleHandleW 1094->1095 1096 6387912-6387915 1094->1096 1097 638794c-6387960 1095->1097 1098 6387945-638794b 1095->1098 1096->1095 1098->1097
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 06387936
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4578750796.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_6380000_skyT.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: 6b618f87822ff59462411025b67bd3bf99a41473e27c57a8fbdd6f8b1e474905
                                              • Instruction ID: fc3a9200fedae9ad3472f85a50536dc6910069a424fa935ae4ab8dc0c0422beb
                                              • Opcode Fuzzy Hash: 6b618f87822ff59462411025b67bd3bf99a41473e27c57a8fbdd6f8b1e474905
                                              • Instruction Fuzzy Hash: EE1110B6C003498FCB10DF9AC984BDEFBF5AF88224F24845AC468B7200D379A545CFA0
                                              Function 0638D8A0 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                              Download Yara Rule
                                              APIs
                                              • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,0638D87D), ref: 0638D907
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4578750796.0000000006380000.00000040.00000800.00020000.00000000.sdmp, Offset: 06380000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_6380000_skyT.jbxd
                                              Similarity
                                              • API ID: CallbackDispatcherUser
                                              • String ID:
                                              • API String ID: 2492992576-0
                                              • Opcode ID: f65c4c1fa37542cb472724c7e8d108ffe3e091ced830f2a7ef69f09fb7bc01d8
                                              • Instruction ID: ff60e3c4bc57735207c05242b424d9d1406d739ff8db47259fbbdad764d53355
                                              • Opcode Fuzzy Hash: f65c4c1fa37542cb472724c7e8d108ffe3e091ced830f2a7ef69f09fb7bc01d8
                                              • Instruction Fuzzy Hash: 4F1122B1800349CFDB20DF9AD884BDEBBF4EF48324F20845AD568A3240D7B4A944CFA5
                                              Function 02C571E8 Relevance: 1.4, Strings: 1, Instructions: 120COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4573124673.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2c50000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 5
                                              • API String ID: 0-2226203566
                                              • Opcode ID: f5fcac862b1cea50ed5edeb124bf48ff52a05a28ec59089242c8e79212e501b1
                                              • Instruction ID: 8d9980f5b5460cd2e2b44611d35643580fc2b43fe7b042747a651db2aa65ca3d
                                              • Opcode Fuzzy Hash: f5fcac862b1cea50ed5edeb124bf48ff52a05a28ec59089242c8e79212e501b1
                                              • Instruction Fuzzy Hash: F4417E30E00269DBDB15DBA5C84479EF7B6EB85304F108529E806EB294EB74D9C6CB54
                                              Function 02C5772F Relevance: .3, Instructions: 318COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4573124673.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2c50000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5e569ce2248e788e5df382a8b765a37a6e882b2e2a1961eb364f14d1c7b8036f
                                              • Instruction ID: f0f6b6d1bf31c8c511bcc5425aec667dd3318f95efc929595192ab63ede55020
                                              • Opcode Fuzzy Hash: 5e569ce2248e788e5df382a8b765a37a6e882b2e2a1961eb364f14d1c7b8036f
                                              • Instruction Fuzzy Hash: D4B14D30700122CBDB29AA69E49872877A2FBDA355F50492DE505DF394CFB5E986C780
                                              Function 02C57780 Relevance: .3, Instructions: 309COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4573124673.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2c50000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 18e319eac435573f75ac8e85233a72e17aae1f9dd5303728a501eca8a9c714cb
                                              • Instruction ID: 4aa4fb5242a2a4f43e1bbe3f8dc64bb66509cb7724c045f2f5dc0aaa49fcbd1f
                                              • Opcode Fuzzy Hash: 18e319eac435573f75ac8e85233a72e17aae1f9dd5303728a501eca8a9c714cb
                                              • Instruction Fuzzy Hash: 28B15E307001138BDB29AA69E48871877A6FBD9355F50492DE505DF394CFB5ED86C780
                                              Function 02C54A9C Relevance: .3, Instructions: 261COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4573124673.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2c50000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: ea982749581e25f7d1abb2f29c7462dec5a11d53cc6e6aa7bf9c0d15109e260d
                                              • Instruction ID: 4679a13e59525d8f1fabe0fc8b89e9c2cdfbad00d5ec0a7c749dbc7955793869
                                              • Opcode Fuzzy Hash: ea982749581e25f7d1abb2f29c7462dec5a11d53cc6e6aa7bf9c0d15109e260d
                                              • Instruction Fuzzy Hash: 88A16A70E00A298FDB24CFA9C88179DBBF2AF88714F148129D815E7294EB74D9C5CF95
                                              Function 02C53E86 Relevance: .2, Instructions: 234COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4573124673.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2c50000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 499917ee4323b8cdc6101f43b328bb97ad1c094fac2e8e348bc4d9b4c6666d66
                                              • Instruction ID: 4e78cbcaa2f7aad17134e5f4a78cdfb6e8254d5b4793ffa3d0ac6ba46c798b9a
                                              • Opcode Fuzzy Hash: 499917ee4323b8cdc6101f43b328bb97ad1c094fac2e8e348bc4d9b4c6666d66
                                              • Instruction Fuzzy Hash: 80917C70E00259CFDB24CFA9C98579EBBF2AF88704F148129E814A7254EB35D985CF89
                                              Function 02C56CE6 Relevance: .1, Instructions: 133COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4573124673.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2c50000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a5dccb8daec9fd4645909695808153e2553f6ae4e3ac22c744b23a9d9948fa63
                                              • Instruction ID: 7d6ff9e929d8afbfa60cfd5434c3638e6e285e2a9f349e75ddcaf7b9d9be40b6
                                              • Opcode Fuzzy Hash: a5dccb8daec9fd4645909695808153e2553f6ae4e3ac22c744b23a9d9948fa63
                                              • Instruction Fuzzy Hash: 8A5127B4D002688FDB14CFAAD884B9DBBB5FF48314F648519E815BB350D7B4A884CF94
                                              Function 02C51128 Relevance: .1, Instructions: 132COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4573124673.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2c50000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 130d508c5e1bf4baae110882ccd9502724de9ee643a099d20658db0fde055d77
                                              • Instruction ID: 93006df4cb1b10fd4f0173129b0b293ba9a0b6b1c253eb1fd223ce523d4187d2
                                              • Opcode Fuzzy Hash: 130d508c5e1bf4baae110882ccd9502724de9ee643a099d20658db0fde055d77
                                              • Instruction Fuzzy Hash: BE51F9716052638FCB69EF2AF881D593FB1EBA13053049B69D2045B2BEEE747945CF80
                                              Function 02C56CF0 Relevance: .1, Instructions: 132COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4573124673.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2c50000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bf03dbec2ccd89724604389a0bde040856e981ca5557b0be8047e682a72615b5
                                              • Instruction ID: 2866763e38c2963257a79638477d76996a07a533d2582c34dc18046d6b5409cc
                                              • Opcode Fuzzy Hash: bf03dbec2ccd89724604389a0bde040856e981ca5557b0be8047e682a72615b5
                                              • Instruction Fuzzy Hash: 795127B0D002688FDB14CFAAD884B9DBBB5FF48314F648519E815BB350D7B4A884CF98
                                              Function 02C5EEF0 Relevance: .1, Instructions: 116COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4573124673.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2c50000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 180845c9deb60633075da5cd5964afb7aa2527b09a7d0e305fb0795d436e58f8
                                              • Instruction ID: 2a765734a8e11ca8d8ebc5fc8f7e8f54c2e60fbfa5d603ae2d84b1ec2667cd19
                                              • Opcode Fuzzy Hash: 180845c9deb60633075da5cd5964afb7aa2527b09a7d0e305fb0795d436e58f8
                                              • Instruction Fuzzy Hash: EA41F475E002598FDB16CF64C85479ABBF6BF89300F14865DE846EB381EB71E982CB40
                                              Function 02C5F02D Relevance: .1, Instructions: 113COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4573124673.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2c50000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c13e0cabf6b99ff8da405dc5ff8ba22a9b89f802ab133744c399bb795b0a7355
                                              • Instruction ID: 0355410028cba933edd920b2b2360fb12829158cdafb6a4434ca65b810f6c7d0
                                              • Opcode Fuzzy Hash: c13e0cabf6b99ff8da405dc5ff8ba22a9b89f802ab133744c399bb795b0a7355
                                              • Instruction Fuzzy Hash: D0311F30B002268FDB19AB35D95066F7BA2AFCA604F14442CC806DB799EF31CD82C7D4
                                              Function 02C54F98 Relevance: .1, Instructions: 113COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4573124673.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2c50000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6e44e395104e0ad50aa0441da3567bb89b75dee496c348e0643ec3fe6ec88577
                                              • Instruction ID: f72f3cea040e7fe0a8d7265774155673fd7687d424916bc6e092e2f4beb43561
                                              • Opcode Fuzzy Hash: 6e44e395104e0ad50aa0441da3567bb89b75dee496c348e0643ec3fe6ec88577
                                              • Instruction Fuzzy Hash: CD41DC316002158FCB24DF79D818B9DBBF1AF89218F2005A8E90AE7360DB32DD81CB95
                                              Function 02C51138 Relevance: .1, Instructions: 112COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4573124673.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2c50000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3c3063c285554bb51fa2e1a5363134f98fd64f928e12c09609b179fc30bcb54e
                                              • Instruction ID: 5f53908fc996cf4c63dc40e37d241e8405aa9f0cdb1f13cdd3cfe5b2c56b1208
                                              • Opcode Fuzzy Hash: 3c3063c285554bb51fa2e1a5363134f98fd64f928e12c09609b179fc30bcb54e
                                              • Instruction Fuzzy Hash: 5A51A8306452638FCB69EB2AF881D583FB2BBA13053049B69D2045B27EEE747945CF90
                                              Function 02C571F8 Relevance: .1, Instructions: 95COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4573124673.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2c50000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0d346e727850226258f51c974387f84fe26b6e1305cb1ebba1c01e11b764c5a6
                                              • Instruction ID: daf3bb091a5aae9ab31c9dc272236fbe88b9d6ff83d6e5de127078063cdf3a0d
                                              • Opcode Fuzzy Hash: 0d346e727850226258f51c974387f84fe26b6e1305cb1ebba1c01e11b764c5a6
                                              • Instruction Fuzzy Hash: 6E313C34E10229DBDB14DFA5D85479EF7B6EF85310F608526E806EB280EBB0E9C5CB54
                                              Function 02C526EC Relevance: .1, Instructions: 93COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4573124673.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2c50000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5494f937bc56536a606cb108b44da273b97070590bc898315ef429530f6c91b3
                                              • Instruction ID: a4aff10301d4aceff200ecc10507417774b168918279df79a4829c756c2fa0f1
                                              • Opcode Fuzzy Hash: 5494f937bc56536a606cb108b44da273b97070590bc898315ef429530f6c91b3
                                              • Instruction Fuzzy Hash: 09411FB1D00349DFDB10CFA9C880ADEBBF5EF48314F248029E819AB254DB75A985CF95
                                              Function 02C5EF00 Relevance: .1, Instructions: 91COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4573124673.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2c50000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6350f215143d1e508ae6aa0063230d97124ba3c8b89f82a0059ab46b10b9902b
                                              • Instruction ID: 324b433fbfa8b0e3a288e4b702387fef4c0b3a303b452fc2c4840ec7a74f4ede
                                              • Opcode Fuzzy Hash: 6350f215143d1e508ae6aa0063230d97124ba3c8b89f82a0059ab46b10b9902b
                                              • Instruction Fuzzy Hash: AC316D34A102298BDB19CF65C89469EB7F6BFC9300F108519E806EB390DB71ED81CB90
                                              Function 02C526F8 Relevance: .1, Instructions: 90COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4573124673.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2c50000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8e0b4471655c06235150c5bf7d48f486abf86ac8a1358aff1658051b143f7bc9
                                              • Instruction ID: d92a3917decfd7af9389ce80b9db8b2f847134568881b05d68843b44cbd4d00d
                                              • Opcode Fuzzy Hash: 8e0b4471655c06235150c5bf7d48f486abf86ac8a1358aff1658051b143f7bc9
                                              • Instruction Fuzzy Hash: 5D41EEB1D00349DFDB10CFA9C980ADEBBF5EF48314F248029E819AB254DB75A985CB95
                                              Function 02C550A8 Relevance: .1, Instructions: 89COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4573124673.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2c50000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 99d7f2acfb8bd4babdfcd123e0e282f816addeba5526e2e9ad9849254f09d415
                                              • Instruction ID: f55dbaf59ba591650944bf56fc91d866a880bf7076aadb53e2a434db56259b2d
                                              • Opcode Fuzzy Hash: 99d7f2acfb8bd4babdfcd123e0e282f816addeba5526e2e9ad9849254f09d415
                                              • Instruction Fuzzy Hash: 1F314030A00225CFDB64EB35C9547AE77B6AF88384F500568D906AB364DF76ED81CB98
                                              Function 02C550B8 Relevance: .1, Instructions: 89COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4573124673.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2c50000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6a802b8827e6993c361cfb92fe9f8f9a95f47b0dcb7655541f6e108020642422
                                              • Instruction ID: 887bb753192e6baed005ae84c8e375a75bec3237a7d13e357d9d46388d478613
                                              • Opcode Fuzzy Hash: 6a802b8827e6993c361cfb92fe9f8f9a95f47b0dcb7655541f6e108020642422
                                              • Instruction Fuzzy Hash: DE314030B00225CFDB64EB75C9147AE77B6AF88384F500568D906AB364DF76DD81CB94
                                              Function 02C58D48 Relevance: .1, Instructions: 80COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4573124673.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2c50000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e9081075999809ef515f7e20642cabc58244eb90a8798531f4e2cd4f8d5fff1e
                                              • Instruction ID: 9fbe4050a49bf98cc7b9a4370806a22f9cf3f78474d9ca9e2612dcec5f1a49b5
                                              • Opcode Fuzzy Hash: e9081075999809ef515f7e20642cabc58244eb90a8798531f4e2cd4f8d5fff1e
                                              • Instruction Fuzzy Hash: F3317375E002569BDB15CFA5D88079EF7B6BF85300F108619E805EB380DB70D9C2CB90
                                              Function 02C58D58 Relevance: .1, Instructions: 78COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4573124673.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2c50000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 393c546318b185f0dc73ad522ef3e1089b5ec0fed3d572dc9865a9b83372d9ef
                                              • Instruction ID: 161a9852e25be8eb84b219bea34fbbce61f7be732eb59d2bb2dd12011e043cdb
                                              • Opcode Fuzzy Hash: 393c546318b185f0dc73ad522ef3e1089b5ec0fed3d572dc9865a9b83372d9ef
                                              • Instruction Fuzzy Hash: 55215134E0026A9BDB15CF65D84479EF7B6FF85300F108619E805EB240DBB1D9C5CB90
                                              Function 02C517D0 Relevance: .1, Instructions: 77COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4573124673.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2c50000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b4c58e9354049c71e91274565c5a81ff8acf798cb95da151df356d8fe8d7b66e
                                              • Instruction ID: 4dfe5583fdbfd337d06b8310e42aa86a80b52e56fbe5f452d61aa665158f1ee5
                                              • Opcode Fuzzy Hash: b4c58e9354049c71e91274565c5a81ff8acf798cb95da151df356d8fe8d7b66e
                                              • Instruction Fuzzy Hash: FC21C276A002258BDB20EB79E84875E7BA9EB84365F140525F909C7304EB78D951CB94
                                              Function 02C51380 Relevance: .1, Instructions: 74COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4573124673.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2c50000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d2f7f268c502236490587093087ea8b202ba8f68725d2fe71b124c8fd405d19b
                                              • Instruction ID: a3ce6f789fc97112e165fc6918778ac0e52276d67079b9f1737ed9e2756912f6
                                              • Opcode Fuzzy Hash: d2f7f268c502236490587093087ea8b202ba8f68725d2fe71b124c8fd405d19b
                                              • Instruction Fuzzy Hash: 5B21D1746002218FDF316668E08D32E3B65EBC2311F08196AE80ECB294DFB8D9C4CB46
                                              Function 02C56B97 Relevance: .1, Instructions: 73COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4573124673.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2c50000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 69f7850588c9941cbc60ee2a5e774983178dddbc51f287d18058e21ebfd0e5a9
                                              • Instruction ID: d5d9c4b59ddfc4d28a9e767ff1708cca29026b226493f523ead6d1ccc0fbea0c
                                              • Opcode Fuzzy Hash: 69f7850588c9941cbc60ee2a5e774983178dddbc51f287d18058e21ebfd0e5a9
                                              • Instruction Fuzzy Hash: F3213E723041659BD311EB79D42875E3BA6EF98300F1245AAD005CB3D8EF34D8428B80
                                              Function 02C516B0 Relevance: .1, Instructions: 73COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4573124673.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2c50000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3ffafb4b80cba273ccb76d51a6d238428adf6b2bb8310c2c2335eddd033e981a
                                              • Instruction ID: d7952274d01c3aec4ae1b611321b3b74f49fab6dc3921f9274421651764db00a
                                              • Opcode Fuzzy Hash: 3ffafb4b80cba273ccb76d51a6d238428adf6b2bb8310c2c2335eddd033e981a
                                              • Instruction Fuzzy Hash: 4321CB386001218FEF21E729E8887193B56E7D5304F045A29E50ECB255EF7CDD81CF95
                                              Function 0145D01C Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4572674438.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_145d000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: d9c756fae2737d76dc2f8728de1388be151e6d8dadfdbca1abe6d50a71b4762d
                                              • Instruction ID: 013099d687a611495127bce5cf274a11f65170fdf3ff45bb36d84ed1f13ea015
                                              • Opcode Fuzzy Hash: d9c756fae2737d76dc2f8728de1388be151e6d8dadfdbca1abe6d50a71b4762d
                                              • Instruction Fuzzy Hash: CD21FFB5A04200EFDB55DF54D980B26BBA1EF84B18F20C56EDD0A4B367C37AD407CA61
                                              Function 02C58C49 Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4573124673.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2c50000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e363366fe86dd42afbf6a9f9d6c58e0cd92e84ef1f832cee6fbb5a5d40ea9e57
                                              • Instruction ID: fcb210ec1b677306fee29c1276de9740c9d0a78cca2c25f78e570dfbbc0ee861
                                              • Opcode Fuzzy Hash: e363366fe86dd42afbf6a9f9d6c58e0cd92e84ef1f832cee6fbb5a5d40ea9e57
                                              • Instruction Fuzzy Hash: 81219871E01626DBDB19CFA4C4506DEB7B2AF88310F50861AEC16F7350EB70E981CB50
                                              Function 02C51898 Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4573124673.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2c50000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3a456c7df35a15b9be578b4e0a4d0691a2be51cc3ca642110ded3856da622849
                                              • Instruction ID: a84f489b61b70dc8b6276c539633976bedc68183c852d02c6ef5d108c8ca6136
                                              • Opcode Fuzzy Hash: 3a456c7df35a15b9be578b4e0a4d0691a2be51cc3ca642110ded3856da622849
                                              • Instruction Fuzzy Hash: 5D212F30B00225CFDB64EB68C55879D77F6AF89244F140468C50AEB364DB75DD81CBA5
                                              Function 02C58C58 Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4573124673.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2c50000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bb965572b2046180c164f5c3357adcaf1e3c76340d39dfd17c02671bb88f7ecc
                                              • Instruction ID: f49154514d572be4fafafb022885054639e1d2bf18e8ca81ba4094adc6a4f110
                                              • Opcode Fuzzy Hash: bb965572b2046180c164f5c3357adcaf1e3c76340d39dfd17c02671bb88f7ecc
                                              • Instruction Fuzzy Hash: 71216530E0162A9BDB18CF65C4506DEB7B6AF89310F50861AEC16F7350EB70E981CB94
                                              Function 02C51888 Relevance: .1, Instructions: 69COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4573124673.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2c50000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8de13f6413168654aff3b557314c558fde85d65ca33e87143201b5a7a91626ac
                                              • Instruction ID: 5637a1a0dd404c71cb868eebd0207633e0d9b6a0370b04cc89cc742f7bb0d871
                                              • Opcode Fuzzy Hash: 8de13f6413168654aff3b557314c558fde85d65ca33e87143201b5a7a91626ac
                                              • Instruction Fuzzy Hash: 94215E30B00265CFDB64EB64D55879E77F1AF89344F140468C90AEB360DB75DE81CBA5
                                              Function 02C516C0 Relevance: .1, Instructions: 69COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4573124673.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2c50000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 27fdf118e2dd7e3effe78ed5e7ef93312719067ccfff9006208feba6517d2d34
                                              • Instruction ID: ef85d962e663e924a5c999133016eb62adade08144e77fd4016e5031a992743d
                                              • Opcode Fuzzy Hash: 27fdf118e2dd7e3effe78ed5e7ef93312719067ccfff9006208feba6517d2d34
                                              • Instruction Fuzzy Hash: F921A4382401218FEF21E729E8887193B5AE7D0314F045A29E50ECB259EFBCD9818F94
                                              Function 02C54FA8 Relevance: .1, Instructions: 68COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4573124673.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2c50000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 56b599f2db1ee6c1c3f9c0cf37262f3a4487129ee00ee0b1e72c5d80da21320b
                                              • Instruction ID: 3e7253ea53afb21d1594cf45a7103125533697b79e0ca7319c330ef9e067b269
                                              • Opcode Fuzzy Hash: 56b599f2db1ee6c1c3f9c0cf37262f3a4487129ee00ee0b1e72c5d80da21320b
                                              • Instruction Fuzzy Hash: 0D213630600224CFCB64EF78D558BAD77F1AF88348B1005A8E906EB364DB72DD40CBA5
                                              Function 0145D005 Relevance: .1, Instructions: 63COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4572674438.000000000145D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0145D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_145d000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1fbb2030f5fa4ff83c00c9efe3b5548374fa57f8b7dca0b328f8d3aad0c9abe5
                                              • Instruction ID: d77e4c8fadef3cbb55321f8c18aae4c26aa4a89509f0d9925f380fdb846f8c80
                                              • Opcode Fuzzy Hash: 1fbb2030f5fa4ff83c00c9efe3b5548374fa57f8b7dca0b328f8d3aad0c9abe5
                                              • Instruction Fuzzy Hash: 642183B55083849FDB02CF64D994716BF71EF46614F28C5DAD8498F2A7C33AD806CB62
                                              Function 02C50848 Relevance: .1, Instructions: 62COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4573124673.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2c50000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 74d8492c03952a4a3a35a3efdd396dd2b9bc2f76e5cfc96bd92a24d0ffb8ae6e
                                              • Instruction ID: 44c514b99a9a3f4a70b7894a4b9c0bba2659e8ae27b59d2d28e2d6608d52336b
                                              • Opcode Fuzzy Hash: 74d8492c03952a4a3a35a3efdd396dd2b9bc2f76e5cfc96bd92a24d0ffb8ae6e
                                              • Instruction Fuzzy Hash: A0118F31B002298BEF245A7AC444B2A37A1FFC9714F244929D806CF296DF69C9C18FC5
                                              Function 02C50838 Relevance: .1, Instructions: 60COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4573124673.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2c50000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1bf3a77afedeb8106a6611badac78f23765ab4b34f77dbe540b08474ce773623
                                              • Instruction ID: b90a484a43f8189375e5395a814ac5d6f5373716d13598c77974c715b12a8acb
                                              • Opcode Fuzzy Hash: 1bf3a77afedeb8106a6611badac78f23765ab4b34f77dbe540b08474ce773623
                                              • Instruction Fuzzy Hash: CB11A031B002298BEF245A658404B7A3790FFC9315F24493DD816CF285DB68C9C18FC9
                                              Function 02C507F9 Relevance: .1, Instructions: 60COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4573124673.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2c50000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8a653fe46cd03e0196dfb7ba8f1267a0a0e74b4b082e628f8005c948948c6bf5
                                              • Instruction ID: 00e92f611d48910d543948b20b276b1271e1be881c7c42e72d18fdb6a5b2101d
                                              • Opcode Fuzzy Hash: 8a653fe46cd03e0196dfb7ba8f1267a0a0e74b4b082e628f8005c948948c6bf5
                                              • Instruction Fuzzy Hash: A211C232A012348BEF256A69D450B693761FFC9318F28452AC806CF295EF79C9C5CFC9
                                              Function 02C51498 Relevance: .1, Instructions: 60COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4573124673.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2c50000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 45e3eeb3d8ec1d7e498acb70cee8e38294c703630df1ee56c52bc19ae42319c5
                                              • Instruction ID: fc80d18848c010296aae515f686dd4f8899913044b0ffeaf3871b7e757656768
                                              • Opcode Fuzzy Hash: 45e3eeb3d8ec1d7e498acb70cee8e38294c703630df1ee56c52bc19ae42319c5
                                              • Instruction Fuzzy Hash: 75117032A002259BCF21EFB988543AE77F6EF48314B595479DC0AE7201E771E981CB99
                                              Function 02C514A8 Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4573124673.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2c50000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 074821e95040421fe46aac3612881fb3d4db0451507043b8572dd56d0dfa7412
                                              • Instruction ID: 4cb98f4bcb5ea92af7078af94de7f6039b0f03dcf5800eea3e6358e079f12de2
                                              • Opcode Fuzzy Hash: 074821e95040421fe46aac3612881fb3d4db0451507043b8572dd56d0dfa7412
                                              • Instruction Fuzzy Hash: 4F014032A012258FCF21EFB984542AD7BF6EF88314B54047ADC0AE7201E776D981CF99
                                              Function 02C59388 Relevance: .0, Instructions: 47COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4573124673.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2c50000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3b45ceda748a6339e0b829358f36b8c9e0d3a4e9848bce63b36c16beabfff4d9
                                              • Instruction ID: 0623192396e76e46ec6dd0c462ec18a74da8bc52744bc1276d35aa068316572b
                                              • Opcode Fuzzy Hash: 3b45ceda748a6339e0b829358f36b8c9e0d3a4e9848bce63b36c16beabfff4d9
                                              • Instruction Fuzzy Hash: CA019230A001058BDB14DF55D84478ABB75FFC4310F548268C8086F29ADBB4EE45CBE0
                                              Function 02C57BEA Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4573124673.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2c50000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b1cc34ccf35664c78590b0c733f749c4806514bb0390b3a7d7a89c3bef3818c2
                                              • Instruction ID: dc1a4424695a9ee44f9c0854651b77a3d238a00e9619bdcfebbce5ca52930d62
                                              • Opcode Fuzzy Hash: b1cc34ccf35664c78590b0c733f749c4806514bb0390b3a7d7a89c3bef3818c2
                                              • Instruction Fuzzy Hash: 42016D74A0125AEFDF05FFA5F88068DBBB1EB90300F50566DC508AB294EE756E048B81
                                              Function 02C51534 Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4573124673.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2c50000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b30aa5e4fdd63ce25f503dbab930cb74527b7f3a2ad6e61cf7290c3b347d5dac
                                              • Instruction ID: ce01efdbc9773af43386bddd0cae91494e22c93f3f349ee8ad8c110b179a5c5f
                                              • Opcode Fuzzy Hash: b30aa5e4fdd63ce25f503dbab930cb74527b7f3a2ad6e61cf7290c3b347d5dac
                                              • Instruction Fuzzy Hash: 89F0F637A04170CBCB12CBA594942AC7BB1EA9821179C10D7DD0BDB312D3B5E982CF59
                                              Function 02C57BF8 Relevance: .0, Instructions: 33COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000007.00000002.4573124673.0000000002C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C50000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_7_2_2c50000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9aa64aad5c0fd6b8765ecdb2ff51f32ab2bc272d1d55544d59fd54fa61e2a298
                                              • Instruction ID: 06519602bc90f13890dac40d4af2eef5ba5a57921c3fc03aea3f0121474914d6
                                              • Opcode Fuzzy Hash: 9aa64aad5c0fd6b8765ecdb2ff51f32ab2bc272d1d55544d59fd54fa61e2a298
                                              • Instruction Fuzzy Hash: D2F04F34A0115ADFDF05FFA9F88059DBBB1EB94300F50566DC508AB254EE756E049F81

                                              Execution Graph

                                              Execution Coverage:8.7%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:230
                                              Total number of Limit Nodes:15
                                              execution_graph 36519 6ce9aee 36520 6ce9b58 36519->36520 36521 6ce9809 36519->36521 36521->36519 36522 6ce988c 36521->36522 36526 6cea9ee 36521->36526 36545 6cea990 36521->36545 36563 6cea982 36521->36563 36522->36522 36527 6cea97c 36526->36527 36528 6cea9f1 36526->36528 36529 6cea9ce 36527->36529 36581 6ceaed3 36527->36581 36586 6cead75 36527->36586 36591 6ceb099 36527->36591 36596 6ceb078 36527->36596 36601 6ceae1f 36527->36601 36606 6ceae7f 36527->36606 36611 6ceb33f 36527->36611 36616 6ceaf23 36527->36616 36621 6ceb0a5 36527->36621 36626 6ceae64 36527->36626 36631 6ceb1c4 36527->36631 36635 6ceade7 36527->36635 36640 6ceb007 36527->36640 36647 6ceae0b 36527->36647 36652 6ceaeed 36527->36652 36528->36520 36529->36520 36546 6cea9aa 36545->36546 36547 6ceaeed 2 API calls 36546->36547 36548 6ceae0b 2 API calls 36546->36548 36549 6ceb007 4 API calls 36546->36549 36550 6ceade7 2 API calls 36546->36550 36551 6ceb1c4 2 API calls 36546->36551 36552 6ceae64 2 API calls 36546->36552 36553 6ceb0a5 2 API calls 36546->36553 36554 6ceaf23 2 API calls 36546->36554 36555 6cea9ce 36546->36555 36556 6ceb33f 2 API calls 36546->36556 36557 6ceae7f 2 API calls 36546->36557 36558 6ceae1f 2 API calls 36546->36558 36559 6ceb078 2 API calls 36546->36559 36560 6ceb099 2 API calls 36546->36560 36561 6cead75 2 API calls 36546->36561 36562 6ceaed3 2 API calls 36546->36562 36547->36555 36548->36555 36549->36555 36550->36555 36551->36555 36552->36555 36553->36555 36554->36555 36555->36520 36556->36555 36557->36555 36558->36555 36559->36555 36560->36555 36561->36555 36562->36555 36564 6cea990 36563->36564 36565 6ceaeed 2 API calls 36564->36565 36566 6ceae0b 2 API calls 36564->36566 36567 6ceb007 4 API calls 36564->36567 36568 6ceade7 2 API calls 36564->36568 36569 6ceb1c4 2 API calls 36564->36569 36570 6ceae64 2 API calls 36564->36570 36571 6ceb0a5 2 API calls 36564->36571 36572 6ceaf23 2 API calls 36564->36572 36573 6cea9ce 36564->36573 36574 6ceb33f 2 API calls 36564->36574 36575 6ceae7f 2 API calls 36564->36575 36576 6ceae1f 2 API calls 36564->36576 36577 6ceb078 2 API calls 36564->36577 36578 6ceb099 2 API calls 36564->36578 36579 6cead75 2 API calls 36564->36579 36580 6ceaed3 2 API calls 36564->36580 36565->36573 36566->36573 36567->36573 36568->36573 36569->36573 36570->36573 36571->36573 36572->36573 36573->36520 36574->36573 36575->36573 36576->36573 36577->36573 36578->36573 36579->36573 36580->36573 36582 6ceb2db 36581->36582 36657 6ce8e5b 36582->36657 36661 6ce8e60 36582->36661 36583 6ceb107 36583->36529 36587 6cead94 36586->36587 36665 6ce93f8 36587->36665 36669 6ce93f3 36587->36669 36592 6ceadf3 36591->36592 36593 6ceae93 36592->36593 36673 6ce8b28 36592->36673 36677 6ce8b23 36592->36677 36593->36529 36597 6ceadf3 36596->36597 36598 6ceae93 36597->36598 36599 6ce8b28 ResumeThread 36597->36599 36600 6ce8b23 ResumeThread 36597->36600 36598->36529 36599->36597 36600->36597 36602 6ceadf3 36601->36602 36603 6ceae93 36602->36603 36604 6ce8b28 ResumeThread 36602->36604 36605 6ce8b23 ResumeThread 36602->36605 36603->36529 36604->36602 36605->36602 36607 6ceadf3 36606->36607 36607->36606 36608 6ceae93 36607->36608 36609 6ce8b28 ResumeThread 36607->36609 36610 6ce8b23 ResumeThread 36607->36610 36608->36529 36609->36607 36610->36607 36612 6ceb362 36611->36612 36681 6ce8d6b 36612->36681 36685 6ce8d70 36612->36685 36613 6ceb708 36617 6ceadf3 36616->36617 36618 6ceae93 36617->36618 36619 6ce8b28 ResumeThread 36617->36619 36620 6ce8b23 ResumeThread 36617->36620 36618->36529 36619->36617 36620->36617 36622 6ceadf3 36621->36622 36623 6ceae93 36622->36623 36624 6ce8b28 ResumeThread 36622->36624 36625 6ce8b23 ResumeThread 36622->36625 36623->36529 36624->36622 36625->36622 36627 6ceb18a 36626->36627 36689 6ce8bd8 36627->36689 36693 6ce8bd3 36627->36693 36628 6ceb1a5 36633 6ce8d6b WriteProcessMemory 36631->36633 36634 6ce8d70 WriteProcessMemory 36631->36634 36632 6ceb1e8 36632->36529 36633->36632 36634->36632 36636 6ceadf3 36635->36636 36637 6ceae93 36636->36637 36638 6ce8b28 ResumeThread 36636->36638 36639 6ce8b23 ResumeThread 36636->36639 36637->36529 36638->36636 36639->36636 36645 6ce8bd8 Wow64SetThreadContext 36640->36645 36646 6ce8bd3 Wow64SetThreadContext 36640->36646 36641 6ceadf3 36642 6ceae93 36641->36642 36643 6ce8b28 ResumeThread 36641->36643 36644 6ce8b23 ResumeThread 36641->36644 36642->36529 36643->36641 36644->36641 36645->36641 36646->36641 36648 6ceae18 36647->36648 36650 6ce8d6b WriteProcessMemory 36648->36650 36651 6ce8d70 WriteProcessMemory 36648->36651 36649 6ceb2bc 36650->36649 36651->36649 36653 6ceb398 36652->36653 36697 6ce8cb0 36653->36697 36701 6ce8cab 36653->36701 36654 6ceb3b9 36658 6ce8e60 ReadProcessMemory 36657->36658 36660 6ce8eef 36658->36660 36660->36583 36662 6ce8eab ReadProcessMemory 36661->36662 36664 6ce8eef 36662->36664 36664->36583 36666 6ce9481 CreateProcessA 36665->36666 36668 6ce9643 36666->36668 36670 6ce93f8 CreateProcessA 36669->36670 36672 6ce9643 36670->36672 36674 6ce8b68 ResumeThread 36673->36674 36676 6ce8b99 36674->36676 36676->36592 36678 6ce8b28 ResumeThread 36677->36678 36680 6ce8b99 36678->36680 36680->36592 36682 6ce8d70 WriteProcessMemory 36681->36682 36684 6ce8e0f 36682->36684 36684->36613 36686 6ce8db8 WriteProcessMemory 36685->36686 36688 6ce8e0f 36686->36688 36688->36613 36690 6ce8c1d Wow64SetThreadContext 36689->36690 36692 6ce8c65 36690->36692 36692->36628 36694 6ce8bd8 Wow64SetThreadContext 36693->36694 36696 6ce8c65 36694->36696 36696->36628 36698 6ce8cf0 VirtualAllocEx 36697->36698 36700 6ce8d2d 36698->36700 36700->36654 36702 6ce8cb0 VirtualAllocEx 36701->36702 36704 6ce8d2d 36702->36704 36704->36654 36705 4d142b0 36706 4d14302 36705->36706 36707 4d143ac 36705->36707 36708 4d1435a CallWindowProcW 36706->36708 36710 4d14309 36706->36710 36711 4d1117c 36707->36711 36708->36710 36712 4d11187 36711->36712 36714 4d12c69 36712->36714 36715 4d112a4 CallWindowProcW 36712->36715 36715->36714 36515 26bb3f8 36516 26bb43a 36515->36516 36517 26bb440 GetModuleHandleW 36515->36517 36516->36517 36518 26bb46d 36517->36518 36741 a9d01c 36742 a9d034 36741->36742 36743 a9d08e 36742->36743 36745 4d1117c CallWindowProcW 36742->36745 36746 4d12c08 36742->36746 36745->36743 36748 4d12c45 36746->36748 36749 4d12c69 36748->36749 36750 4d112a4 CallWindowProcW 36748->36750 36750->36749 36716 6cecda8 36717 6cecdc6 36716->36717 36718 6cecdd0 36716->36718 36721 6cece10 36717->36721 36726 6cecdfb 36717->36726 36722 6cece1e 36721->36722 36723 6cece3d 36721->36723 36731 6ce93dc 36722->36731 36723->36718 36727 6cece1e 36726->36727 36728 6cece3d 36726->36728 36729 6ce93dc FindCloseChangeNotification 36727->36729 36728->36718 36730 6cece39 36729->36730 36730->36718 36732 6cecf88 FindCloseChangeNotification 36731->36732 36733 6cece39 36732->36733 36733->36718 36501 26bd4a0 36502 26bd4e6 36501->36502 36506 26bd66f 36502->36506 36509 26bd680 36502->36509 36503 26bd5d3 36512 26bd030 36506->36512 36510 26bd6ae 36509->36510 36511 26bd030 DuplicateHandle 36509->36511 36510->36503 36511->36510 36513 26bd6e8 DuplicateHandle 36512->36513 36514 26bd6ae 36513->36514 36514->36503 36751 26b4a90 36752 26b4a99 36751->36752 36753 26b4a9f 36752->36753 36755 26b4b89 36752->36755 36756 26b4bad 36755->36756 36760 26b4c89 36756->36760 36764 26b4c98 36756->36764 36761 26b4cbf 36760->36761 36762 26b4d9c 36761->36762 36768 26b4874 36761->36768 36762->36762 36765 26b4cbf 36764->36765 36766 26b4874 CreateActCtxA 36765->36766 36767 26b4d9c 36765->36767 36766->36767 36769 26b5d28 CreateActCtxA 36768->36769 36771 26b5deb 36769->36771 36772 26bb110 36773 26bb112 36772->36773 36777 26bb1f9 36773->36777 36782 26bb208 36773->36782 36774 26bb11f 36778 26bb208 36777->36778 36779 26bb234 36778->36779 36787 26bb491 36778->36787 36791 26bb4a0 36778->36791 36779->36774 36783 26bb219 36782->36783 36784 26bb234 36782->36784 36783->36784 36785 26bb491 LoadLibraryExW 36783->36785 36786 26bb4a0 LoadLibraryExW 36783->36786 36784->36774 36785->36784 36786->36784 36788 26bb4b4 36787->36788 36789 26bb4d9 36788->36789 36795 26bac10 36788->36795 36789->36779 36792 26bb4b4 36791->36792 36793 26bb4d9 36792->36793 36794 26bac10 LoadLibraryExW 36792->36794 36793->36779 36794->36793 36796 26bb680 LoadLibraryExW 36795->36796 36798 26bb6f9 36796->36798 36798->36789 36734 6cebb20 36735 6cebb46 36734->36735 36736 6cebcab 36734->36736 36735->36736 36738 6ce9078 36735->36738 36739 6cebda0 PostMessageW 36738->36739 36740 6cebe0c 36739->36740 36740->36735

                                              Executed Functions

                                              Function 06CE93F3 Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 0 6ce93f3-6ce948d 3 6ce948f-6ce9499 0->3 4 6ce94c6-6ce94e6 0->4 3->4 5 6ce949b-6ce949d 3->5 11 6ce951f-6ce954e 4->11 12 6ce94e8-6ce94f2 4->12 6 6ce949f-6ce94a9 5->6 7 6ce94c0-6ce94c3 5->7 9 6ce94ad-6ce94bc 6->9 10 6ce94ab 6->10 7->4 9->9 14 6ce94be 9->14 10->9 20 6ce9587-6ce9641 CreateProcessA 11->20 21 6ce9550-6ce955a 11->21 12->11 13 6ce94f4-6ce94f6 12->13 15 6ce94f8-6ce9502 13->15 16 6ce9519-6ce951c 13->16 14->7 18 6ce9506-6ce9515 15->18 19 6ce9504 15->19 16->11 18->18 22 6ce9517 18->22 19->18 32 6ce964a-6ce96d0 20->32 33 6ce9643-6ce9649 20->33 21->20 23 6ce955c-6ce955e 21->23 22->16 25 6ce9560-6ce956a 23->25 26 6ce9581-6ce9584 23->26 27 6ce956e-6ce957d 25->27 28 6ce956c 25->28 26->20 27->27 30 6ce957f 27->30 28->27 30->26 43 6ce96d2-6ce96d6 32->43 44 6ce96e0-6ce96e4 32->44 33->32 43->44 45 6ce96d8 43->45 46 6ce96e6-6ce96ea 44->46 47 6ce96f4-6ce96f8 44->47 45->44 46->47 48 6ce96ec 46->48 49 6ce96fa-6ce96fe 47->49 50 6ce9708-6ce970c 47->50 48->47 49->50 51 6ce9700 49->51 52 6ce971e-6ce9725 50->52 53 6ce970e-6ce9714 50->53 51->50 54 6ce973c 52->54 55 6ce9727-6ce9736 52->55 53->52 57 6ce973d 54->57 55->54 57->57
                                              APIs
                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06CE962E
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2359809125.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_6ce0000_skyT.jbxd
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: 55cddab93e0425bdea83092a6ae344e8cd0df91316d2e1ad9c3da6e878b30a14
                                              • Instruction ID: 45376ef21d9f105d4a98d7869a637eab58aac05621f58c6d55b4fff7428801db
                                              • Opcode Fuzzy Hash: 55cddab93e0425bdea83092a6ae344e8cd0df91316d2e1ad9c3da6e878b30a14
                                              • Instruction Fuzzy Hash: FA915A71D01219DFEF60CF69C841BDEBBB2BF48314F1485AAE809A7240DB749A85CF91
                                              Function 06CE93F8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 58 6ce93f8-6ce948d 60 6ce948f-6ce9499 58->60 61 6ce94c6-6ce94e6 58->61 60->61 62 6ce949b-6ce949d 60->62 68 6ce951f-6ce954e 61->68 69 6ce94e8-6ce94f2 61->69 63 6ce949f-6ce94a9 62->63 64 6ce94c0-6ce94c3 62->64 66 6ce94ad-6ce94bc 63->66 67 6ce94ab 63->67 64->61 66->66 71 6ce94be 66->71 67->66 77 6ce9587-6ce9641 CreateProcessA 68->77 78 6ce9550-6ce955a 68->78 69->68 70 6ce94f4-6ce94f6 69->70 72 6ce94f8-6ce9502 70->72 73 6ce9519-6ce951c 70->73 71->64 75 6ce9506-6ce9515 72->75 76 6ce9504 72->76 73->68 75->75 79 6ce9517 75->79 76->75 89 6ce964a-6ce96d0 77->89 90 6ce9643-6ce9649 77->90 78->77 80 6ce955c-6ce955e 78->80 79->73 82 6ce9560-6ce956a 80->82 83 6ce9581-6ce9584 80->83 84 6ce956e-6ce957d 82->84 85 6ce956c 82->85 83->77 84->84 87 6ce957f 84->87 85->84 87->83 100 6ce96d2-6ce96d6 89->100 101 6ce96e0-6ce96e4 89->101 90->89 100->101 102 6ce96d8 100->102 103 6ce96e6-6ce96ea 101->103 104 6ce96f4-6ce96f8 101->104 102->101 103->104 105 6ce96ec 103->105 106 6ce96fa-6ce96fe 104->106 107 6ce9708-6ce970c 104->107 105->104 106->107 108 6ce9700 106->108 109 6ce971e-6ce9725 107->109 110 6ce970e-6ce9714 107->110 108->107 111 6ce973c 109->111 112 6ce9727-6ce9736 109->112 110->109 114 6ce973d 111->114 112->111 114->114
                                              APIs
                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06CE962E
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2359809125.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_6ce0000_skyT.jbxd
                                              Similarity
                                              • API ID: CreateProcess
                                              • String ID:
                                              • API String ID: 963392458-0
                                              • Opcode ID: 2fd12420c38f4250857d38a495806c4011d52262ae74bc14bb3a7dd935494d8d
                                              • Instruction ID: 1f994927ea33ef9b2c47cb8f3021fa92135fb300ba6d0f44eeabd3ab523683ee
                                              • Opcode Fuzzy Hash: 2fd12420c38f4250857d38a495806c4011d52262ae74bc14bb3a7dd935494d8d
                                              • Instruction Fuzzy Hash: C6915971D01219DFEF60CF69C841BEDBBB2BF48314F1485AAE809A7240DB749A85CF91
                                              Function 026B5D1C Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 115 26b5d1c-26b5de9 CreateActCtxA 117 26b5deb-26b5df1 115->117 118 26b5df2-26b5e4c 115->118 117->118 125 26b5e5b-26b5e5f 118->125 126 26b5e4e-26b5e51 118->126 127 26b5e61-26b5e6d 125->127 128 26b5e70 125->128 126->125 127->128 129 26b5e71 128->129 129->129
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 026B5DD9
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2352619865.00000000026B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_26b0000_skyT.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: ecec17af0b2e7e5839da5f3b7c7a3820d6accbd9c78095599ed36b2a10a2756a
                                              • Instruction ID: 6867cf6d21bcd95ff7645f82bb83d40b426d6a719a237ae03e025aba2be53687
                                              • Opcode Fuzzy Hash: ecec17af0b2e7e5839da5f3b7c7a3820d6accbd9c78095599ed36b2a10a2756a
                                              • Instruction Fuzzy Hash: 614102B1C00719CBEB25CFA9C9847CEBBF2BF48704F60816AD409AB251DB756946CF90
                                              Function 04D112A4 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 131 4d112a4-4d142fc 134 4d14302-4d14307 131->134 135 4d143ac-4d143cc call 4d1117c 131->135 136 4d14309-4d14340 134->136 137 4d1435a-4d14392 CallWindowProcW 134->137 143 4d143cf-4d143dc 135->143 144 4d14342-4d14348 136->144 145 4d14349-4d14358 136->145 139 4d14394-4d1439a 137->139 140 4d1439b-4d143aa 137->140 139->140 140->143 144->145 145->143
                                              APIs
                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 04D14381
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2358965167.0000000004D10000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D10000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_4d10000_skyT.jbxd
                                              Similarity
                                              • API ID: CallProcWindow
                                              • String ID:
                                              • API String ID: 2714655100-0
                                              • Opcode ID: 3db465dcb44d7ffe1d4e8c3299f3bfb9fe23e4b1811c977afb2d1170c5fb1b78
                                              • Instruction ID: 172db34e4496b0e7347051f5e4816065e2d5aa3369641b37c4a230b0ee7625b8
                                              • Opcode Fuzzy Hash: 3db465dcb44d7ffe1d4e8c3299f3bfb9fe23e4b1811c977afb2d1170c5fb1b78
                                              • Instruction Fuzzy Hash: D9411AB5A00305EFDB14CF99D488AAEFBF5FF88314F248459D519A7361D774A841CBA0
                                              Function 026B4874 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 148 26b4874-26b5de9 CreateActCtxA 151 26b5deb-26b5df1 148->151 152 26b5df2-26b5e4c 148->152 151->152 159 26b5e5b-26b5e5f 152->159 160 26b5e4e-26b5e51 152->160 161 26b5e61-26b5e6d 159->161 162 26b5e70 159->162 160->159 161->162 163 26b5e71 162->163 163->163
                                              APIs
                                              • CreateActCtxA.KERNEL32(?), ref: 026B5DD9
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2352619865.00000000026B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_26b0000_skyT.jbxd
                                              Similarity
                                              • API ID: Create
                                              • String ID:
                                              • API String ID: 2289755597-0
                                              • Opcode ID: c533d25bbd5f1e7bbb0759969c0de68279640fbbac0901aa78c12bcc3a4cb6bc
                                              • Instruction ID: 028a56d748e9857ea7cd19dd10ca84036a486aab712f6b7b29ce457152c385fd
                                              • Opcode Fuzzy Hash: c533d25bbd5f1e7bbb0759969c0de68279640fbbac0901aa78c12bcc3a4cb6bc
                                              • Instruction Fuzzy Hash: D141EFB0C00719CBEB25CFA9C9887CEBBB5BF48304F60816AD409AB251DB716946CF90
                                              Function 06CE8D6B Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 165 6ce8d6b-6ce8dbe 168 6ce8dce-6ce8e0d WriteProcessMemory 165->168 169 6ce8dc0-6ce8dcc 165->169 171 6ce8e0f-6ce8e15 168->171 172 6ce8e16-6ce8e46 168->172 169->168 171->172
                                              APIs
                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06CE8E00
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2359809125.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_6ce0000_skyT.jbxd
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID:
                                              • API String ID: 3559483778-0
                                              • Opcode ID: 46413705c09e8cde4ef4a8d82e953620aa174416d8c62ceae2d2d06b6ae0abed
                                              • Instruction ID: 1587eec346a2056e2fbd51c29c59f2dc82eb43ff34daab10f7c66036eff072e4
                                              • Opcode Fuzzy Hash: 46413705c09e8cde4ef4a8d82e953620aa174416d8c62ceae2d2d06b6ae0abed
                                              • Instruction Fuzzy Hash: D32148B59013499FDB10CFA9C881BDEBBF5FF48314F108429E918A7240C7789950CBA5
                                              Function 06CE8D70 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 176 6ce8d70-6ce8dbe 178 6ce8dce-6ce8e0d WriteProcessMemory 176->178 179 6ce8dc0-6ce8dcc 176->179 181 6ce8e0f-6ce8e15 178->181 182 6ce8e16-6ce8e46 178->182 179->178 181->182
                                              APIs
                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06CE8E00
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2359809125.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_6ce0000_skyT.jbxd
                                              Similarity
                                              • API ID: MemoryProcessWrite
                                              • String ID:
                                              • API String ID: 3559483778-0
                                              • Opcode ID: d33f96ac228bdcece139735b24e0d75bf899dc94de26845171845b4977c88034
                                              • Instruction ID: f45233dabc9f3d45778e060f4d0a628456646cb9be6c115e1f4a5b68d9ae096e
                                              • Opcode Fuzzy Hash: d33f96ac228bdcece139735b24e0d75bf899dc94de26845171845b4977c88034
                                              • Instruction Fuzzy Hash: AB2126B59003499FDB10CFA9C881BDEBBF5FF48314F10842AE918A7241C7789950CBA5
                                              Function 06CE8E5B Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 197 6ce8e5b-6ce8eed ReadProcessMemory 201 6ce8eef-6ce8ef5 197->201 202 6ce8ef6-6ce8f26 197->202 201->202
                                              APIs
                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06CE8EE0
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2359809125.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_6ce0000_skyT.jbxd
                                              Similarity
                                              • API ID: MemoryProcessRead
                                              • String ID:
                                              • API String ID: 1726664587-0
                                              • Opcode ID: f2f66c1c44d763e7289d68cbaa704e619e713eeb87d6a137f520e56c39eac32a
                                              • Instruction ID: d587ae0a53b323ba0ba2388d3ef0d475a42c16bee3f1f4da8d89d552210ab43c
                                              • Opcode Fuzzy Hash: f2f66c1c44d763e7289d68cbaa704e619e713eeb87d6a137f520e56c39eac32a
                                              • Instruction Fuzzy Hash: B32116B58013499FDB10DFAAC881BDEFBF5FF48324F108429E519A7240CB799950CBA5
                                              Function 06CE8BD3 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 186 6ce8bd3-6ce8c23 189 6ce8c25-6ce8c31 186->189 190 6ce8c33-6ce8c63 Wow64SetThreadContext 186->190 189->190 192 6ce8c6c-6ce8c9c 190->192 193 6ce8c65-6ce8c6b 190->193 193->192
                                              APIs
                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06CE8C56
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2359809125.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_6ce0000_skyT.jbxd
                                              Similarity
                                              • API ID: ContextThreadWow64
                                              • String ID:
                                              • API String ID: 983334009-0
                                              • Opcode ID: 3cae69708e2e5d6b38036407267adc2794553e3408e305a6615a41a7d9495abc
                                              • Instruction ID: c68a2b6db9892237c1f2ca316599aee1ee638091893ee3b37abbdfca1f17c3b4
                                              • Opcode Fuzzy Hash: 3cae69708e2e5d6b38036407267adc2794553e3408e305a6615a41a7d9495abc
                                              • Instruction Fuzzy Hash: DD213775D013099FDB10DFAAC885BEEBBF4AF88224F148429D519A7240CB789945CBA5
                                              Function 026BD030 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 206 26bd030-26bd77c DuplicateHandle 208 26bd77e-26bd784 206->208 209 26bd785-26bd7a2 206->209 208->209
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,026BD6AE,?,?,?,?,?), ref: 026BD76F
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2352619865.00000000026B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_26b0000_skyT.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: e0a2ebe24dd0615b119b0d3a23f8f3099928878bcd30c0791aab550dd3e1420b
                                              • Instruction ID: dd6dafc3ade02364842d0a2ed961ca10352f772fa93f93b67407cbfa5904dc02
                                              • Opcode Fuzzy Hash: e0a2ebe24dd0615b119b0d3a23f8f3099928878bcd30c0791aab550dd3e1420b
                                              • Instruction Fuzzy Hash: ED21D4B5900249AFDB10CF9AD984ADEFBF4EF48324F14841AE914A7310D375A950CFA5
                                              Function 06CE8E60 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 222 6ce8e60-6ce8eed ReadProcessMemory 225 6ce8eef-6ce8ef5 222->225 226 6ce8ef6-6ce8f26 222->226 225->226
                                              APIs
                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06CE8EE0
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2359809125.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_6ce0000_skyT.jbxd
                                              Similarity
                                              • API ID: MemoryProcessRead
                                              • String ID:
                                              • API String ID: 1726664587-0
                                              • Opcode ID: 6dcd37fbc93830568846e481a4942e7b9ef6c74c3bb9428c5da32451e3773509
                                              • Instruction ID: 18f749155dfaddf62f67122fc848db186c6dba1c07d9962b4cb5ef994cde37d2
                                              • Opcode Fuzzy Hash: 6dcd37fbc93830568846e481a4942e7b9ef6c74c3bb9428c5da32451e3773509
                                              • Instruction Fuzzy Hash: C42114B18003499FDB10CFAAC881AEEFBF5FF48320F10842AE518A7240C7799950CBA5
                                              Function 06CE8BD8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 212 6ce8bd8-6ce8c23 214 6ce8c25-6ce8c31 212->214 215 6ce8c33-6ce8c63 Wow64SetThreadContext 212->215 214->215 217 6ce8c6c-6ce8c9c 215->217 218 6ce8c65-6ce8c6b 215->218 218->217
                                              APIs
                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06CE8C56
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2359809125.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_6ce0000_skyT.jbxd
                                              Similarity
                                              • API ID: ContextThreadWow64
                                              • String ID:
                                              • API String ID: 983334009-0
                                              • Opcode ID: 66863a1662f31fc2f212aedec1d0c003c9bb2accc88b59bd6ecbd11405cea797
                                              • Instruction ID: 0892f7aa627135afdd62636c7622f4ada00741dcff7a0e27cf9b5bbec1316631
                                              • Opcode Fuzzy Hash: 66863a1662f31fc2f212aedec1d0c003c9bb2accc88b59bd6ecbd11405cea797
                                              • Instruction Fuzzy Hash: 00213571D003098FDB10DFAAC8857AEBBF4EF88324F14842AD519A7240CB78A945CFA5
                                              Function 026BD6E7 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 230 26bd6e7-26bd77c DuplicateHandle 231 26bd77e-26bd784 230->231 232 26bd785-26bd7a2 230->232 231->232
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,026BD6AE,?,?,?,?,?), ref: 026BD76F
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2352619865.00000000026B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_26b0000_skyT.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: ac32193c217e43fa126f7fb84cdef60a7c8f55137157c78d996019c45106c807
                                              • Instruction ID: 896cfd74ec162a103a55f20f52eaf96bcc2a6d4f1fdcff51eab4f6393bd92c1a
                                              • Opcode Fuzzy Hash: ac32193c217e43fa126f7fb84cdef60a7c8f55137157c78d996019c45106c807
                                              • Instruction Fuzzy Hash: 0C21D2B5900249AFDB10CF9AD984ADEBBF4EB48324F14841AE918A7310D375A950CFA1
                                              Function 06CE8CAB Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 235 6ce8cab-6ce8d2b VirtualAllocEx 239 6ce8d2d-6ce8d33 235->239 240 6ce8d34-6ce8d59 235->240 239->240
                                              APIs
                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06CE8D1E
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2359809125.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_6ce0000_skyT.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: dfd6ac9cff995685900b13058d6be5c76e55e9cd9b021b1648f588e7d71a333d
                                              • Instruction ID: 89a228af0e16229a61a4927574ebf125290f2dc14c243b25695a4516c8651aa4
                                              • Opcode Fuzzy Hash: dfd6ac9cff995685900b13058d6be5c76e55e9cd9b021b1648f588e7d71a333d
                                              • Instruction Fuzzy Hash: 721159758003499FDB10CFAAD845BDFBBF5AF88324F108419E515A7250CB799550CBA1
                                              Function 026BAC10 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 244 26bac10-26bb6c0 246 26bb6c8-26bb6f7 LoadLibraryExW 244->246 247 26bb6c2-26bb6c5 244->247 248 26bb6f9-26bb6ff 246->248 249 26bb700-26bb71d 246->249 247->246 248->249
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,026BB4D9,00000800,00000000,00000000), ref: 026BB6EA
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2352619865.00000000026B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_26b0000_skyT.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 34b5cc75582a5dc8af633ad664c28be09218e6b0f7045199b3faf86c7e5f7db4
                                              • Instruction ID: 3c9e74852f01adf6b6a278df58f4892371788420c0b73c8160d244e5696e7bae
                                              • Opcode Fuzzy Hash: 34b5cc75582a5dc8af633ad664c28be09218e6b0f7045199b3faf86c7e5f7db4
                                              • Instruction Fuzzy Hash: BE1106B69003499FDB10CF9AC944ADEFBF4AF48324F10842AD915A7200D3B5A945CFA5
                                              Function 06CE8CB0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06CE8D1E
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2359809125.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_6ce0000_skyT.jbxd
                                              Similarity
                                              • API ID: AllocVirtual
                                              • String ID:
                                              • API String ID: 4275171209-0
                                              • Opcode ID: ed380f31a8942a62a5164006d11aacc3822c516a457de1d4d4f5bb996e8d8767
                                              • Instruction ID: 9007545ee2b3d0d2f8e161cb14ea1877f1b1431d72ddd8003d45920f10723a99
                                              • Opcode Fuzzy Hash: ed380f31a8942a62a5164006d11aacc3822c516a457de1d4d4f5bb996e8d8767
                                              • Instruction Fuzzy Hash: 5E1156768003499FDB10CFAAC844BDEBBF5AF88324F10841AE519A7250C775A950CBA1
                                              Function 06CE8B23 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2359809125.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_6ce0000_skyT.jbxd
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID:
                                              • API String ID: 947044025-0
                                              • Opcode ID: b391a528a82ae70a646ed5d74e9c14a686cfe9446e7bc383e6628bf11aed6713
                                              • Instruction ID: 8282b899e6cebb7bd8134af87e5dbe5c83f8b0224ec6bd951643040919285d98
                                              • Opcode Fuzzy Hash: b391a528a82ae70a646ed5d74e9c14a686cfe9446e7bc383e6628bf11aed6713
                                              • Instruction Fuzzy Hash: DA1158B1D003498FDB20DFAAC845BDFFBF4AF88624F248419D519A7240CB79A544CBA5
                                              Function 026BB67F Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,026BB4D9,00000800,00000000,00000000), ref: 026BB6EA
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2352619865.00000000026B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_26b0000_skyT.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 7400e0008eb67ed27c8d4739835c694800a3ce0b62782af05bee4e35e5bdaa37
                                              • Instruction ID: 65929e8471bbb468bcfe032cbe6b49b02ed8d76d056415afe07118a2e7f56aeb
                                              • Opcode Fuzzy Hash: 7400e0008eb67ed27c8d4739835c694800a3ce0b62782af05bee4e35e5bdaa37
                                              • Instruction Fuzzy Hash: C011E4B69002499FDB10CF9AD944ADEFBF4AF48324F10842AD919A7200D375A545CFA5
                                              Function 06CE93DC Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                              Download Yara Rule
                                              APIs
                                              • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,06CECE39,?,?), ref: 06CECFE0
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2359809125.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_6ce0000_skyT.jbxd
                                              Similarity
                                              • API ID: ChangeCloseFindNotification
                                              • String ID:
                                              • API String ID: 2591292051-0
                                              • Opcode ID: f00a1f751c452b9a7315c3095eb8d6f740b48d7d922e3154014054fa89c7361a
                                              • Instruction ID: 0aa29d37b3a7c9c20acd49720b24bc807991cdebec658b983626b6994b97cddf
                                              • Opcode Fuzzy Hash: f00a1f751c452b9a7315c3095eb8d6f740b48d7d922e3154014054fa89c7361a
                                              • Instruction Fuzzy Hash: 331125B5804349DFDB50DF9AC445BEEBBF4EB48324F208419E968A7340D778A944CFA5
                                              Function 06CECF80 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                              Download Yara Rule
                                              APIs
                                              • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,06CECE39,?,?), ref: 06CECFE0
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2359809125.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_6ce0000_skyT.jbxd
                                              Similarity
                                              • API ID: ChangeCloseFindNotification
                                              • String ID:
                                              • API String ID: 2591292051-0
                                              • Opcode ID: deb1f1d948f074beda401d66ef6e126c07afb275da4b8df3f68e934538b91428
                                              • Instruction ID: fa3a7f47d820a677d71e9bf13ddc09b844ec1aabe84dee53099432d0a22d6aaa
                                              • Opcode Fuzzy Hash: deb1f1d948f074beda401d66ef6e126c07afb275da4b8df3f68e934538b91428
                                              • Instruction Fuzzy Hash: F31155B58002898FDB10CF99C445BEEBBF4FF48324F20841AD968A7340D778A644CFA5
                                              Function 06CE8B28 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2359809125.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_6ce0000_skyT.jbxd
                                              Similarity
                                              • API ID: ResumeThread
                                              • String ID:
                                              • API String ID: 947044025-0
                                              • Opcode ID: 07c0f8bf4e07d707bb1d1cb709e0d157bbb522c8eecb0e9aebf96e92b8165371
                                              • Instruction ID: c8e3c8096e1eff79b20065c4c9187067bbc72d5d21dbfc74f9acc63276d9df2d
                                              • Opcode Fuzzy Hash: 07c0f8bf4e07d707bb1d1cb709e0d157bbb522c8eecb0e9aebf96e92b8165371
                                              • Instruction Fuzzy Hash: 6A1106B1D003498FDB20DFAAC84579EFBF5AF88724F248419D519A7240CB79A944CBA5
                                              Function 026BB3F8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 026BB45E
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2352619865.00000000026B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_26b0000_skyT.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: d6457c33f93d40a3afa38fb938887f4317bad87652fca6904b796004f212999a
                                              • Instruction ID: 311934d4b3efe9446175a113b5c26907dee63beaff7eebcf7217427f1901f382
                                              • Opcode Fuzzy Hash: d6457c33f93d40a3afa38fb938887f4317bad87652fca6904b796004f212999a
                                              • Instruction Fuzzy Hash: 4111DFB6C007498FDB10CF9AC544ADEFBF4BF88628F10845AD829A7314D3B9A545CFA5
                                              Function 026BB3F7 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 026BB45E
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2352619865.00000000026B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_26b0000_skyT.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: 400b0d40944463d31032e1d28f96157d4373fccbb3284042fd9856585ab523f9
                                              • Instruction ID: a837fbb8c63be7f3a94430c28d7daefaa4f5c9cb935b22de250a656ca148b98c
                                              • Opcode Fuzzy Hash: 400b0d40944463d31032e1d28f96157d4373fccbb3284042fd9856585ab523f9
                                              • Instruction Fuzzy Hash: F011DFB6C006498FDB10CF9AD544ADEFBF4FF88628F10845AD829A7314D3B9A545CFA1
                                              Function 026BB721 Relevance: 1.5, APIs: 1, Instructions: 47libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,026BB4D9,00000800,00000000,00000000), ref: 026BB6EA
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2352619865.00000000026B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026B0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_26b0000_skyT.jbxd
                                              Similarity
                                              • API ID: LibraryLoad
                                              • String ID:
                                              • API String ID: 1029625771-0
                                              • Opcode ID: 80c937b888744085fdd63e6dbec969e522016baadccac163b2468bee3c8938e7
                                              • Instruction ID: 0862cb0eae41f37688e6e26bdda043321c4734c240edebbd1e50174335fd7d11
                                              • Opcode Fuzzy Hash: 80c937b888744085fdd63e6dbec969e522016baadccac163b2468bee3c8938e7
                                              • Instruction Fuzzy Hash: 4B01A7B69003088FDB118FADDC047DABFF4AF95328F10816AE548D7760C3B59885CB65
                                              Function 06CE9078 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 06CEBDFD
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2359809125.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_6ce0000_skyT.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: 3c3a41f6b0ef572110f347dc2e1deda98cd9649b2daeb15ba98540c0bd97a73f
                                              • Instruction ID: 0c83d4f3815e55981a4d5847dbfe198e67e801e523013a4d9990ca13544d9747
                                              • Opcode Fuzzy Hash: 3c3a41f6b0ef572110f347dc2e1deda98cd9649b2daeb15ba98540c0bd97a73f
                                              • Instruction Fuzzy Hash: 3A1122B58003499FDB50CF8AC944BEEFBF8EB48324F208459E518A3200C3B5AA50CFA5
                                              Function 06CEBD98 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 06CEBDFD
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2359809125.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_6ce0000_skyT.jbxd
                                              Similarity
                                              • API ID: MessagePost
                                              • String ID:
                                              • API String ID: 410705778-0
                                              • Opcode ID: 3bd16480cd1cdd90b56acca331806ee29c6127f183f879491256b0beaeefbc6e
                                              • Instruction ID: 2111829638d8821ac58b1b9593a65d1550ee24892a17e0385f469adda366e7f2
                                              • Opcode Fuzzy Hash: 3bd16480cd1cdd90b56acca331806ee29c6127f183f879491256b0beaeefbc6e
                                              • Instruction Fuzzy Hash: 5211E0B98006499FDB10DF9AC945BDEFBF8FB48324F20845AD958A7200C375A984CFA1
                                              Function 00A8D4C4 Relevance: .1, Instructions: 75COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2351780110.0000000000A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_a8d000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 19adafc3118b945a8011280af969782acb892a6fc136d17b8d286c9c76edab79
                                              • Instruction ID: 0af947e340bd7fa7f4047099f1ab8bee3d4c70a18b2b60ec81beb6d59a5dbf0c
                                              • Opcode Fuzzy Hash: 19adafc3118b945a8011280af969782acb892a6fc136d17b8d286c9c76edab79
                                              • Instruction Fuzzy Hash: BA21F5B2504244EFDB19EF14D9C0F26BF65FB88718F24C56EE9090B296C336D856CBA1
                                              Function 00A9D01C Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2351822617.0000000000A9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A9D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_a9d000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c04889e3ad0f3c22568520507a110be1f12179d71cb8589e8648307d2b3186f5
                                              • Instruction ID: e5052fe40a1d0443de1b9aec9dde7eb6776aac6d9e8398fd1435c620f6b4c3f6
                                              • Opcode Fuzzy Hash: c04889e3ad0f3c22568520507a110be1f12179d71cb8589e8648307d2b3186f5
                                              • Instruction Fuzzy Hash: 2A210E75604200EFDF14DF24D980B26BBA1FB88314F20C56DE90A0B296C77AD886CA61
                                              Function 00A9D006 Relevance: .1, Instructions: 60COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2351822617.0000000000A9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A9D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_a9d000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 31a987343e0a62bddce889db0ea399b1a9ba7f81d57f8a4ace090c901fcf6e01
                                              • Instruction ID: f3171d745f31d41ac004cf53b3fc00b89167ccb89f4925a2428aed06b607ce17
                                              • Opcode Fuzzy Hash: 31a987343e0a62bddce889db0ea399b1a9ba7f81d57f8a4ace090c901fcf6e01
                                              • Instruction Fuzzy Hash: 0121C6755093808FDB02CF20D590715BFB1FB45314F28C5DAD8498B2A7C33AD84ACB62
                                              Function 00A8D4BF Relevance: .1, Instructions: 56COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2351780110.0000000000A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_a8d000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                              • Instruction ID: 3299495cac5a62e76a09f58dabada7c0146afbe17a0d96de956ae23bf976f7ca
                                              • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                              • Instruction Fuzzy Hash: 4C11E676504280DFCB15DF10D5C4B16BF71FB94318F24C6AAD8490B656C33AD856CBA1
                                              Function 00A8D759 Relevance: .0, Instructions: 45COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2351780110.0000000000A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_a8d000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 403b9a74bcd16bd28731a66577adf3d251e4225f55c625072aa0c9e41d98d218
                                              • Instruction ID: 345246b37eefbfe7d639a2bbf761dbb4deb684549544cf1cd4e2dd99bbee8a35
                                              • Opcode Fuzzy Hash: 403b9a74bcd16bd28731a66577adf3d251e4225f55c625072aa0c9e41d98d218
                                              • Instruction Fuzzy Hash: DE012671004340DAE7206B25CD80B26FFE8EF51334F18C41AEE080A2C6C7B89840C7B2
                                              Function 00A8D758 Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000009.00000002.2351780110.0000000000A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_9_2_a8d000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 03a857f3dfd910273a7eb2d5b427af62a4eeb7f0ffc78f21a870e49f2a187bf3
                                              • Instruction ID: 0ee8fb86279b668c4472b397f1fddb793ed9a4a3d743ce9ff2368364f6f45da6
                                              • Opcode Fuzzy Hash: 03a857f3dfd910273a7eb2d5b427af62a4eeb7f0ffc78f21a870e49f2a187bf3
                                              • Instruction Fuzzy Hash: 73F06D72405344AEE7209B16DD84B62FFA8EF91738F18C45AED084A286C379A844CBB1

                                              Execution Graph

                                              Execution Coverage:10.9%
                                              Dynamic/Decrypted Code Coverage:94.4%
                                              Signature Coverage:0%
                                              Total number of Nodes:250
                                              Total number of Limit Nodes:23
                                              execution_graph 24461 17e0848 24463 17e084e 24461->24463 24462 17e091b 24463->24462 24466 17e149c 24463->24466 24473 17e1380 24463->24473 24468 17e1396 24466->24468 24469 17e149f 24466->24469 24467 17e1490 24467->24463 24468->24467 24470 17e149c 2 API calls 24468->24470 24479 66458e8 24468->24479 24485 66458e3 24468->24485 24469->24463 24470->24468 24474 17e1396 24473->24474 24475 17e1490 24474->24475 24476 17e149c 2 API calls 24474->24476 24477 66458e3 2 API calls 24474->24477 24478 66458e8 2 API calls 24474->24478 24475->24463 24476->24474 24477->24474 24478->24474 24480 66458fa 24479->24480 24482 66459ab 24480->24482 24491 66403a4 24480->24491 24482->24468 24483 6645971 24496 66403c4 24483->24496 24486 66458e8 24485->24486 24487 66403a4 GetModuleHandleW 24486->24487 24489 66459ab 24486->24489 24488 6645971 24487->24488 24490 66403c4 KiUserCallbackDispatcher 24488->24490 24489->24468 24490->24489 24492 66403af 24491->24492 24500 6646ea8 24492->24500 24510 6646e99 24492->24510 24493 6645f52 24493->24483 24497 66403cf 24496->24497 24499 664d893 24497->24499 24556 664c2e4 24497->24556 24499->24482 24501 6646ead 24500->24501 24520 6645e34 24501->24520 24504 6646f56 24506 6646f82 24504->24506 24536 6645e44 24504->24536 24507 6645e34 GetModuleHandleW 24507->24504 24511 6646ea8 24510->24511 24512 6645e34 GetModuleHandleW 24511->24512 24513 6646f3a 24512->24513 24517 6645e34 GetModuleHandleW 24513->24517 24518 66473f0 GetModuleHandleW 24513->24518 24519 6647379 GetModuleHandleW 24513->24519 24514 6646f56 24515 6645e44 GetModuleHandleW 24514->24515 24516 6646f82 24514->24516 24515->24516 24517->24514 24518->24514 24519->24514 24522 6645e3f 24520->24522 24521 6646f3a 24521->24507 24525 6647379 24521->24525 24530 66473f0 24521->24530 24522->24521 24540 6647683 24522->24540 24548 66475ef 24522->24548 24526 6647388 24525->24526 24527 6647393 24526->24527 24528 6647683 GetModuleHandleW 24526->24528 24529 66475ef GetModuleHandleW 24526->24529 24527->24504 24528->24527 24529->24527 24531 6647400 24530->24531 24532 6647405 24530->24532 24531->24504 24533 66474ce 24532->24533 24534 6647683 GetModuleHandleW 24532->24534 24535 66475ef GetModuleHandleW 24532->24535 24534->24533 24535->24533 24537 66478d0 GetModuleHandleW 24536->24537 24539 6647945 24537->24539 24539->24506 24541 66476af 24540->24541 24542 6645e44 GetModuleHandleW 24541->24542 24543 664771a 24542->24543 24544 6645e44 GetModuleHandleW 24543->24544 24545 6647794 24543->24545 24546 6647768 24544->24546 24545->24521 24546->24545 24547 6645e44 GetModuleHandleW 24546->24547 24547->24545 24549 66475fa 24548->24549 24550 6645e44 GetModuleHandleW 24549->24550 24551 664771a 24550->24551 24552 6647794 24551->24552 24553 6645e44 GetModuleHandleW 24551->24553 24552->24521 24554 6647768 24553->24554 24554->24552 24555 6645e44 GetModuleHandleW 24554->24555 24555->24552 24557 664d8a8 KiUserCallbackDispatcher 24556->24557 24559 664d916 24557->24559 24559->24497 24452 664796f 24453 664790d GetModuleHandleW 24452->24453 24456 6647976 24452->24456 24455 6647945 24453->24455 24457 664fe08 24458 664fe4c SetWindowsHookExA 24457->24458 24460 664fe92 24458->24460 24560 6648978 24561 66489e0 CreateWindowExW 24560->24561 24563 6648a9c 24561->24563 24564 160d01c 24565 160d034 24564->24565 24566 160d08e 24565->24566 24573 6648b30 24565->24573 24579 6646c2c 24565->24579 24587 6646c1c 24565->24587 24591 6648b23 24565->24591 24597 664d2b2 24565->24597 24606 6646c10 24565->24606 24574 6648b56 24573->24574 24575 6646c1c GetModuleHandleW 24574->24575 24576 6648b62 24575->24576 24577 6646c2c 3 API calls 24576->24577 24578 6648b77 24577->24578 24578->24566 24580 6646c37 24579->24580 24581 664d341 24580->24581 24583 664d331 24580->24583 24622 664c28c 24581->24622 24610 664d468 24583->24610 24616 664d458 24583->24616 24584 664d33f 24584->24584 24588 6646c27 24587->24588 24739 6646c54 24588->24739 24590 6648c67 24590->24566 24592 6648b56 24591->24592 24593 6646c1c GetModuleHandleW 24592->24593 24594 6648b62 24593->24594 24595 6646c2c 3 API calls 24594->24595 24596 6648b77 24595->24596 24596->24566 24599 664d2ba 24597->24599 24598 664d2c0 24598->24566 24599->24598 24600 664d341 24599->24600 24602 664d331 24599->24602 24601 664c28c 3 API calls 24600->24601 24603 664d33f 24601->24603 24604 664d468 3 API calls 24602->24604 24605 664d458 3 API calls 24602->24605 24603->24603 24604->24603 24605->24603 24607 6646c15 24606->24607 24608 6646c54 GetModuleHandleW 24607->24608 24609 6648c67 24608->24609 24609->24566 24611 664d46d 24610->24611 24612 664c28c 3 API calls 24611->24612 24613 664d55a 24611->24613 24629 664d939 24611->24629 24634 664d948 24611->24634 24612->24611 24613->24584 24617 664d466 24616->24617 24618 664c28c 3 API calls 24617->24618 24619 664d55a 24617->24619 24620 664d948 2 API calls 24617->24620 24621 664d939 2 API calls 24617->24621 24618->24617 24619->24584 24620->24617 24621->24617 24623 664c297 24622->24623 24624 664d5b2 24623->24624 24625 664d65c 24623->24625 24627 664d60a CallWindowProcW 24624->24627 24628 664d5b9 24624->24628 24626 6646c2c 2 API calls 24625->24626 24626->24628 24627->24628 24628->24584 24630 664d93e 24629->24630 24631 664da20 24630->24631 24639 664df00 24630->24639 24646 664debf 24630->24646 24631->24611 24636 664d967 24634->24636 24635 664da20 24635->24611 24636->24635 24637 664df00 2 API calls 24636->24637 24638 664debf 2 API calls 24636->24638 24637->24636 24638->24636 24641 664df08 24639->24641 24640 664df1c 24640->24630 24641->24640 24643 664debf 2 API calls 24641->24643 24674 664df38 24641->24674 24695 664df48 24641->24695 24642 664df31 24642->24630 24643->24642 24647 664ded5 24646->24647 24648 664df37 24647->24648 24649 664deda 24647->24649 24650 664df75 24648->24650 24654 664dfb9 24648->24654 24651 664df1c 24649->24651 24662 664debf 2 API calls 24649->24662 24663 664df48 2 API calls 24649->24663 24664 664df38 2 API calls 24649->24664 24671 664debf 2 API calls 24650->24671 24672 664df48 2 API calls 24650->24672 24673 664df38 2 API calls 24650->24673 24651->24630 24652 664df31 24652->24630 24653 664df7b 24653->24630 24665 664debf 2 API calls 24654->24665 24666 664e0e8 OleInitialize 24654->24666 24667 664df48 2 API calls 24654->24667 24668 664df38 2 API calls 24654->24668 24655 664e035 24656 664e049 24655->24656 24659 664e039 24655->24659 24669 664e200 OleGetClipboard 24656->24669 24670 664e210 OleGetClipboard 24656->24670 24657 664e057 24657->24630 24658 664e043 24658->24630 24659->24658 24660 664db80 OleInitialize 24659->24660 24661 664e109 24660->24661 24661->24630 24662->24652 24663->24652 24664->24652 24665->24655 24666->24655 24667->24655 24668->24655 24669->24657 24670->24657 24671->24653 24672->24653 24673->24653 24675 664df5a 24674->24675 24676 664df75 24675->24676 24678 664dfb9 24675->24678 24690 664debf 2 API calls 24676->24690 24691 664df48 2 API calls 24676->24691 24692 664df38 2 API calls 24676->24692 24677 664df7b 24677->24642 24686 664debf 2 API calls 24678->24686 24688 664df48 2 API calls 24678->24688 24689 664df38 2 API calls 24678->24689 24716 664e0e8 24678->24716 24679 664e035 24680 664e049 24679->24680 24683 664e039 24679->24683 24720 664e200 24680->24720 24724 664e210 24680->24724 24681 664e057 24681->24642 24682 664e043 24682->24642 24683->24682 24728 664db80 24683->24728 24686->24679 24688->24679 24689->24679 24690->24677 24691->24677 24692->24677 24696 664df5a 24695->24696 24697 664df75 24696->24697 24699 664dfb9 24696->24699 24711 664debf 2 API calls 24697->24711 24712 664df48 2 API calls 24697->24712 24713 664df38 2 API calls 24697->24713 24698 664df7b 24698->24642 24707 664debf 2 API calls 24699->24707 24708 664e0e8 OleInitialize 24699->24708 24709 664df48 2 API calls 24699->24709 24710 664df38 2 API calls 24699->24710 24700 664e035 24701 664e049 24700->24701 24703 664e039 24700->24703 24714 664e200 OleGetClipboard 24701->24714 24715 664e210 OleGetClipboard 24701->24715 24702 664e057 24702->24642 24704 664db80 OleInitialize 24703->24704 24706 664e043 24703->24706 24705 664e109 24704->24705 24705->24642 24706->24642 24707->24700 24708->24700 24709->24700 24710->24700 24711->24698 24712->24698 24713->24698 24714->24702 24715->24702 24717 664e100 24716->24717 24718 664db80 OleInitialize 24717->24718 24719 664e109 24718->24719 24719->24679 24722 664e210 24720->24722 24723 664e24b 24722->24723 24732 664dca8 24722->24732 24723->24681 24726 664e225 24724->24726 24725 664dca8 OleGetClipboard 24725->24726 24726->24725 24727 664e24b 24726->24727 24727->24681 24729 664db8b 24728->24729 24731 664e109 24729->24731 24736 664db90 24729->24736 24731->24642 24733 664e2b8 OleGetClipboard 24732->24733 24735 664e352 24733->24735 24737 664e170 OleInitialize 24736->24737 24738 664e1d4 24737->24738 24738->24731 24740 6646c5f 24739->24740 24741 6645e34 GetModuleHandleW 24740->24741 24742 6648cc9 24741->24742 24743 6645e44 GetModuleHandleW 24742->24743 24744 6648d37 24742->24744 24743->24744 24744->24590 24745 664c6d8 DuplicateHandle 24746 664c76e 24745->24746

                                              Executed Functions

                                              Function 017E9628 Relevance: 2.9, Instructions: 2889COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4572673897.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_17e0000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9010b1d1cc66e2240b3a2047141fd0694244138ac00f15d5b85c39d4f68a2949
                                              • Instruction ID: e474cba1123184b3502ddaf30217b0aff1aa9f32a9d469a8f95f28949ffce999
                                              • Opcode Fuzzy Hash: 9010b1d1cc66e2240b3a2047141fd0694244138ac00f15d5b85c39d4f68a2949
                                              • Instruction Fuzzy Hash: EE63E731D10B1A8ADB11EF68C884A99F7B1FF99310F15D79AE44877121EB70AAC4CF81
                                              Function 017ECAE8 Relevance: 2.3, Instructions: 2293COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4572673897.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_17e0000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b3925dfcc6cb81b0e21b8c0b8040194a09d3f428d9915754db634e930508fc43
                                              • Instruction ID: 716684b3dcf0cb8f60f84d4ac966d7ad04c4428d3f6d78bb2ee1f6b96ff14fc7
                                              • Opcode Fuzzy Hash: b3925dfcc6cb81b0e21b8c0b8040194a09d3f428d9915754db634e930508fc43
                                              • Instruction Fuzzy Hash: 7A330D31D10B198EDB11EF68C8846ADF7F1FF99300F15C69AE458A7215EB70AAC5CB81
                                              Function 017E4AA8 Relevance: .3, Instructions: 266COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4572673897.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_17e0000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4ac38f659c577fbd1d6f8049bc3c905e297c33f709c9874d61df54010ea4740b
                                              • Instruction ID: 1882d13aa8b2b0d5702bb1972b6585f7a6bcb02afd152283d4a3b37c5ca40cac
                                              • Opcode Fuzzy Hash: 4ac38f659c577fbd1d6f8049bc3c905e297c33f709c9874d61df54010ea4740b
                                              • Instruction Fuzzy Hash: 62B15B70E002098FDF10CFA9C88979DFBF2AF88714F148529D916EB294EB759891CB81
                                              Function 017E3E90 Relevance: .2, Instructions: 238COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4572673897.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_17e0000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a32f5b37b5ce25cb42d0ca0d3a04f692a92d92120c6ca393a8c6172ddc7149ac
                                              • Instruction ID: f98a6fec4ab8d347557f531697d4e60ed12f60cf5da62789bc25bb9210c05d20
                                              • Opcode Fuzzy Hash: a32f5b37b5ce25cb42d0ca0d3a04f692a92d92120c6ca393a8c6172ddc7149ac
                                              • Instruction Fuzzy Hash: 1C914870E002499FEF10CFA9C9897AEFBF2BF88714F148129E415E7294EB749845CB81
                                              Function 0664796F Relevance: 1.6, APIs: 1, Instructions: 120COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 912 664796f-6647974 913 6647976 912->913 914 664790d-6647943 GetModuleHandleW 912->914 916 664797d-66479cf 913->916 917 6647978-664797c 913->917 918 6647945-664794b 914->918 919 664794c-6647960 914->919 920 66479d1-66479db 916->920 921 6647a08-6647a56 916->921 917->916 918->919 920->921 922 66479dd-66479df 920->922 931 6647a5f-6647a90 921->931 932 6647a58-6647a5e 921->932 924 66479e1-66479eb 922->924 925 6647a02-6647a05 922->925 927 66479ed 924->927 928 66479ef-66479fe 924->928 925->921 927->928 928->928 929 6647a00 928->929 929->925 935 6647aa0 931->935 936 6647a92-6647a96 931->936 932->931 938 6647aa1 935->938 936->935 937 6647a98 936->937 937->935 938->938
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 06647936
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4578410358.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_6640000_skyT.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: 671ab2654c932d217dfb333a3ac445759b43cc21d903d9b6f292b77db91b9ab9
                                              • Instruction ID: 7fa869c9fcc4a82fc919a87501312865135d88aea55dcd95795102b334ecdc1a
                                              • Opcode Fuzzy Hash: 671ab2654c932d217dfb333a3ac445759b43cc21d903d9b6f292b77db91b9ab9
                                              • Instruction Fuzzy Hash: 634142B1D002898FDB54EFA9C844B9EBFF1BF48314F20852AE819A7340D7759585CF95
                                              Function 06648973 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 939 6648973-66489de 940 66489e0-66489e6 939->940 941 66489e9-66489f0 939->941 940->941 942 66489f2-66489f8 941->942 943 66489fb-6648a33 941->943 942->943 944 6648a3b-6648a9a CreateWindowExW 943->944 945 6648aa3-6648adb 944->945 946 6648a9c-6648aa2 944->946 950 6648add-6648ae0 945->950 951 6648ae8 945->951 946->945 950->951 952 6648ae9 951->952 952->952
                                              APIs
                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06648A8A
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4578410358.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_6640000_skyT.jbxd
                                              Similarity
                                              • API ID: CreateWindow
                                              • String ID:
                                              • API String ID: 716092398-0
                                              • Opcode ID: f7ad99f75c031fbb50c8cfe4bf2b3fe5aeb0ed2f36a8f59a6ed7b578b794612b
                                              • Instruction ID: a7c734d69eb00869302b45453dcbd9db827f0cb88bf17898983869bc9e73a36f
                                              • Opcode Fuzzy Hash: f7ad99f75c031fbb50c8cfe4bf2b3fe5aeb0ed2f36a8f59a6ed7b578b794612b
                                              • Instruction Fuzzy Hash: 6C51B0B1D003499FDB14CF99C984ADEBBB1BF48310F24822EE819AB250D7B19985CF90
                                              Function 06648978 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 953 6648978-66489de 954 66489e0-66489e6 953->954 955 66489e9-66489f0 953->955 954->955 956 66489f2-66489f8 955->956 957 66489fb-6648a9a CreateWindowExW 955->957 956->957 959 6648aa3-6648adb 957->959 960 6648a9c-6648aa2 957->960 964 6648add-6648ae0 959->964 965 6648ae8 959->965 960->959 964->965 966 6648ae9 965->966 966->966
                                              APIs
                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06648A8A
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4578410358.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_6640000_skyT.jbxd
                                              Similarity
                                              • API ID: CreateWindow
                                              • String ID:
                                              • API String ID: 716092398-0
                                              • Opcode ID: 97bab5b22186ecbb9e0d52efe4506f38d7634831139a06e3fc5afe29f981e130
                                              • Instruction ID: af3139d5990fca97f4e47ab44414773b7e9be45269b62c0fe83e26a8c3f4da1a
                                              • Opcode Fuzzy Hash: 97bab5b22186ecbb9e0d52efe4506f38d7634831139a06e3fc5afe29f981e130
                                              • Instruction Fuzzy Hash: 5941B0B1D00349DFDB14DF9AC984ADEFBB5BF48310F24812AE819AB250D7B59885CF90
                                              Function 0664C28C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 967 664c28c-664d5ac 971 664d5b2-664d5b7 967->971 972 664d65c-664d67c call 6646c2c 967->972 974 664d5b9-664d5f0 971->974 975 664d60a-664d642 CallWindowProcW 971->975 979 664d67f-664d68c 972->979 982 664d5f2-664d5f8 974->982 983 664d5f9-664d608 974->983 976 664d644-664d64a 975->976 977 664d64b-664d65a 975->977 976->977 977->979 982->983 983->979
                                              APIs
                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 0664D631
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4578410358.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_6640000_skyT.jbxd
                                              Similarity
                                              • API ID: CallProcWindow
                                              • String ID:
                                              • API String ID: 2714655100-0
                                              • Opcode ID: cb4e399d5011a368f9c671a8dbad589576f99a9e36be77e42e589ec447e3374c
                                              • Instruction ID: 9a1dcc58504ddd8c31f3fcf3c1c438c38206d40ce6cfc12ccdd531ef36804dfa
                                              • Opcode Fuzzy Hash: cb4e399d5011a368f9c671a8dbad589576f99a9e36be77e42e589ec447e3374c
                                              • Instruction Fuzzy Hash: 014136B4D00309CFDB54DF99C888AAABBF5FF88314F248459E518AB321D774A941CFA0
                                              Function 0664E2AC Relevance: 1.6, APIs: 1, Instructions: 79comclipboardCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 985 664e2ac-664e2b4 986 664e2b6-664e2ff 985->986 987 664e300-664e308 985->987 986->987 989 664e312-664e350 OleGetClipboard 987->989 990 664e352-664e358 989->990 991 664e359-664e3a7 989->991 990->991 996 664e3b7 991->996 997 664e3a9-664e3ad 991->997 999 664e3b8 996->999 997->996 998 664e3af 997->998 998->996 999->999
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4578410358.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_6640000_skyT.jbxd
                                              Similarity
                                              • API ID: Clipboard
                                              • String ID:
                                              • API String ID: 220874293-0
                                              • Opcode ID: cea62e2edfb0b722cea8af564a18c51d8b7097950f5321dc72e06c5ba029a8f9
                                              • Instruction ID: 0241a838e969b0b1655d059939bc230c8b836b19e744d66143afaf0be5b9f115
                                              • Opcode Fuzzy Hash: cea62e2edfb0b722cea8af564a18c51d8b7097950f5321dc72e06c5ba029a8f9
                                              • Instruction Fuzzy Hash: 913110B0D01208DFDB55DFA9C984B8EBBF5BF48714F248019E004BB3A0DBB5A845CBA5
                                              Function 0664DCA8 Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1000 664dca8-664e350 OleGetClipboard 1004 664e352-664e358 1000->1004 1005 664e359-664e3a7 1000->1005 1004->1005 1010 664e3b7 1005->1010 1011 664e3a9-664e3ad 1005->1011 1013 664e3b8 1010->1013 1011->1010 1012 664e3af 1011->1012 1012->1010 1013->1013
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4578410358.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_6640000_skyT.jbxd
                                              Similarity
                                              • API ID: Clipboard
                                              • String ID:
                                              • API String ID: 220874293-0
                                              • Opcode ID: 02e401348c29cf73e590f334949da8a701fb6956eff169227978b6eef6f86eae
                                              • Instruction ID: e7c892730046cc848048a8db77c05b459c3fe7c929f69f53354e637063829b7b
                                              • Opcode Fuzzy Hash: 02e401348c29cf73e590f334949da8a701fb6956eff169227978b6eef6f86eae
                                              • Instruction Fuzzy Hash: 36311FB0D01208DFEB51DF99C984B9EBBF1BF48714F248059E404BB3A0DBB5A845CB91
                                              Function 0664C6D0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1014 664c6d0-664c76c DuplicateHandle 1015 664c775-664c792 1014->1015 1016 664c76e-664c774 1014->1016 1016->1015
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0664C75F
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4578410358.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_6640000_skyT.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 821abfb45596b73419af19cb12a3bfa10ce8b66a1f50469154d48de33bbfe58a
                                              • Instruction ID: 0eb991e0211db1192c1c7c647c0b7360353305e11ea1df9ff1ab9703d53aaab5
                                              • Opcode Fuzzy Hash: 821abfb45596b73419af19cb12a3bfa10ce8b66a1f50469154d48de33bbfe58a
                                              • Instruction Fuzzy Hash: 2221E3B59012499FDB10CFA9D984AEEBFF5EB48320F24841AE918A3350D379A950CF64
                                              Function 0664C6D8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1019 664c6d8-664c76c DuplicateHandle 1020 664c775-664c792 1019->1020 1021 664c76e-664c774 1019->1021 1021->1020
                                              APIs
                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0664C75F
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4578410358.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_6640000_skyT.jbxd
                                              Similarity
                                              • API ID: DuplicateHandle
                                              • String ID:
                                              • API String ID: 3793708945-0
                                              • Opcode ID: 4b58a0d08644f5401d0f1963253af4c59b6a16a2133db6735473d1559a4982f5
                                              • Instruction ID: 21b54e6e099b46721c480513e3906f19d3252ec3997c08311b7e7e107a2c3061
                                              • Opcode Fuzzy Hash: 4b58a0d08644f5401d0f1963253af4c59b6a16a2133db6735473d1559a4982f5
                                              • Instruction Fuzzy Hash: 9121E4B59012499FDB10CFAAD984ADEFBF4FB48720F24801AE914A3310D374A950CFA4
                                              Function 0664FE01 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1024 664fe01-664fe52 1027 664fe54-664fe5c 1024->1027 1028 664fe5e-664fe90 SetWindowsHookExA 1024->1028 1027->1028 1029 664fe92-664fe98 1028->1029 1030 664fe99-664feb9 1028->1030 1029->1030
                                              APIs
                                              • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 0664FE83
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4578410358.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_6640000_skyT.jbxd
                                              Similarity
                                              • API ID: HookWindows
                                              • String ID:
                                              • API String ID: 2559412058-0
                                              • Opcode ID: 53674fc3a856abb27f19cccae931aec230703b10b25091984976854c20943d73
                                              • Instruction ID: 362f3fa9c95edca0ebe21af8c3315ae22bc715c8ff6ea085aa17416dfa6a65c6
                                              • Opcode Fuzzy Hash: 53674fc3a856abb27f19cccae931aec230703b10b25091984976854c20943d73
                                              • Instruction Fuzzy Hash: D62115B5D002499FDB54DFAAC944BDEFBF5AB88720F108429E419A7250CB75A940CFA1
                                              Function 0664FE08 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1034 664fe08-664fe52 1036 664fe54-664fe5c 1034->1036 1037 664fe5e-664fe90 SetWindowsHookExA 1034->1037 1036->1037 1038 664fe92-664fe98 1037->1038 1039 664fe99-664feb9 1037->1039 1038->1039
                                              APIs
                                              • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 0664FE83
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4578410358.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_6640000_skyT.jbxd
                                              Similarity
                                              • API ID: HookWindows
                                              • String ID:
                                              • API String ID: 2559412058-0
                                              • Opcode ID: 47def53e13bfed4e2fa937c93d79f5e552962a7ba8aff21906b08c81cfebdf80
                                              • Instruction ID: a07bf574d7e797bb9736435ed99f3c0b720ef2b16812ed577a42ed0a284f8f11
                                              • Opcode Fuzzy Hash: 47def53e13bfed4e2fa937c93d79f5e552962a7ba8aff21906b08c81cfebdf80
                                              • Instruction Fuzzy Hash: E82115B1D002499FDB54DF9AC944BDEFBF5AB88720F108429D418A7250CB75A940CFA1
                                              Function 06645E44 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1043 6645e44-6647910 1046 6647912-6647915 1043->1046 1047 6647918-6647943 GetModuleHandleW 1043->1047 1046->1047 1048 6647945-664794b 1047->1048 1049 664794c-6647960 1047->1049 1048->1049
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 06647936
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4578410358.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_6640000_skyT.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: e145d81873c2040551fee43828073be5b76a32b60016378cad468b21d8d21c5c
                                              • Instruction ID: 2dbdf6cb58356c2ffe2bac6c814fdbeeb27b7df88f05ed43b2f3b2655b5197fc
                                              • Opcode Fuzzy Hash: e145d81873c2040551fee43828073be5b76a32b60016378cad468b21d8d21c5c
                                              • Instruction Fuzzy Hash: 8A1120B5C003498FDB10DF9AC844B9EFBF4EB88220F10846AD818B7700C3B5A505CFA4
                                              Function 066478CD Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1051 66478cd-66478ce 1052 66478d5-6647910 1051->1052 1053 66478d0-66478d4 1051->1053 1054 6647912-6647915 1052->1054 1055 6647918-6647943 GetModuleHandleW 1052->1055 1053->1052 1054->1055 1056 6647945-664794b 1055->1056 1057 664794c-6647960 1055->1057 1056->1057
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 06647936
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4578410358.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_6640000_skyT.jbxd
                                              Similarity
                                              • API ID: HandleModule
                                              • String ID:
                                              • API String ID: 4139908857-0
                                              • Opcode ID: 61d8e8114f117dbd3a22c5c119dc7589adf7f67770b34a9b0af59e25335b6a4f
                                              • Instruction ID: a1c2db6fdbf615acd0b3eff420ceebdbaa8bc9325258e34fb0c2b94528ff7d85
                                              • Opcode Fuzzy Hash: 61d8e8114f117dbd3a22c5c119dc7589adf7f67770b34a9b0af59e25335b6a4f
                                              • Instruction Fuzzy Hash: 0F1102B5C002498FDB10DF9AC944A9EFBF4AB88620F10842AD419B7710D375A545CFA5
                                              Function 0664C2E4 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1059 664c2e4-664d914 KiUserCallbackDispatcher 1062 664d916-664d91c 1059->1062 1063 664d91d-664d931 1059->1063 1062->1063
                                              APIs
                                              • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,0664D87D), ref: 0664D907
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4578410358.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_6640000_skyT.jbxd
                                              Similarity
                                              • API ID: CallbackDispatcherUser
                                              • String ID:
                                              • API String ID: 2492992576-0
                                              • Opcode ID: b4f97623d698e000fea9790bdcd8b8ea97b67132260878e2992b9c16100e997f
                                              • Instruction ID: 44a342b5100f0b3499b5b4de14721bce776b4810bded102297a6f89ef34fe8f0
                                              • Opcode Fuzzy Hash: b4f97623d698e000fea9790bdcd8b8ea97b67132260878e2992b9c16100e997f
                                              • Instruction Fuzzy Hash: 361122B18002498FDB50DF9AD584B9EBBF4EF48220F20846AD518A3350D3B5A940CFA4
                                              Function 0664E169 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1072 664e169-664e16e 1073 664e170-664e1d2 OleInitialize 1072->1073 1074 664e1d4-664e1da 1073->1074 1075 664e1db-664e1f8 1073->1075 1074->1075
                                              APIs
                                              • OleInitialize.OLE32(00000000), ref: 0664E1C5
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4578410358.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_6640000_skyT.jbxd
                                              Similarity
                                              • API ID: Initialize
                                              • String ID:
                                              • API String ID: 2538663250-0
                                              • Opcode ID: fb227d4061d40790218ef7316b56b7a3f1c071919ff0f7bbfb65873012e302af
                                              • Instruction ID: 1245ee02dca2487bd03dd720b2542f263cdda12e96ce05e0700dd5e69effbc58
                                              • Opcode Fuzzy Hash: fb227d4061d40790218ef7316b56b7a3f1c071919ff0f7bbfb65873012e302af
                                              • Instruction Fuzzy Hash: 3A1103B58003898FCB60DFAAD944BCEFFF4EB48224F248859E559A7700C775A544CFA5
                                              Function 0664DB90 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1066 664db90-664e1d2 OleInitialize 1068 664e1d4-664e1da 1066->1068 1069 664e1db-664e1f8 1066->1069 1068->1069
                                              APIs
                                              • OleInitialize.OLE32(00000000), ref: 0664E1C5
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4578410358.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_6640000_skyT.jbxd
                                              Similarity
                                              • API ID: Initialize
                                              • String ID:
                                              • API String ID: 2538663250-0
                                              • Opcode ID: 1551bd8b124d6ac0672a4704e4806bf10b51da2d50767dd69de9eb9affc9a7c0
                                              • Instruction ID: 795364537ab1185f112ab52a5db063b8357aa09c1ff7549850e86e20dc57410b
                                              • Opcode Fuzzy Hash: 1551bd8b124d6ac0672a4704e4806bf10b51da2d50767dd69de9eb9affc9a7c0
                                              • Instruction Fuzzy Hash: DE1103B5900349CFDB50DFAAC544B9EBBF4EB48324F208459E519A7700D3B5A944CFA5
                                              Function 0664D8A0 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                              Download Yara Rule
                                              APIs
                                              • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,0664D87D), ref: 0664D907
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4578410358.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_6640000_skyT.jbxd
                                              Similarity
                                              • API ID: CallbackDispatcherUser
                                              • String ID:
                                              • API String ID: 2492992576-0
                                              • Opcode ID: 0bf027f135b8720a3d8d17af07af45e2546011e542e844cff4a3abaaf0e2133b
                                              • Instruction ID: 658eb74df94f5a9ab44dd2528004bf43497656e818a36da76e09803a024ed2c6
                                              • Opcode Fuzzy Hash: 0bf027f135b8720a3d8d17af07af45e2546011e542e844cff4a3abaaf0e2133b
                                              • Instruction Fuzzy Hash: 5E1103B5C002498FDB20DF9AD944BDEFBF8AF48724F20845AD518A7350C7B5A944CFA5
                                              Function 017E8E5C Relevance: .3, Instructions: 348COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4572673897.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_17e0000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bccd5e7574f854aa46e0afee4feb718c95597bdf82623da661bec251a31c5a35
                                              • Instruction ID: 9b43b99cb3a4cf1c248e25995f6d129f0d18797457bae395baa3ba6173ca454d
                                              • Opcode Fuzzy Hash: bccd5e7574f854aa46e0afee4feb718c95597bdf82623da661bec251a31c5a35
                                              • Instruction Fuzzy Hash: 2CD18E35B00205DFDB15DBA8D488AADBBF2FF88324F148469EA06EB355DA35DC41CB91
                                              Function 017E7780 Relevance: .3, Instructions: 312COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4572673897.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_17e0000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9c9fc1b23f37231bb6adcfe58d1c34c52e2bb858fb6a721f01c295f1ad134bc4
                                              • Instruction ID: 6c8d7f7fb42d298154c0256ba8e9e55fb6b1b0b69dd8cb0b0461c693a99a97cd
                                              • Opcode Fuzzy Hash: 9c9fc1b23f37231bb6adcfe58d1c34c52e2bb858fb6a721f01c295f1ad134bc4
                                              • Instruction Fuzzy Hash: B0B19F30700203DBDB2A9B2CE4896197BA2FBC9365F50993DE106CB355CE7AEC46D791
                                              Function 017E4A9C Relevance: .3, Instructions: 262COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4572673897.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_17e0000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 83f8a7a0ee76748e12593a1dd6df0c794025c2cada182782791849687556e8c1
                                              • Instruction ID: bfa156b10d25272c7b173b4e39bd539b190f959680beb44df51267b9e88fbdcd
                                              • Opcode Fuzzy Hash: 83f8a7a0ee76748e12593a1dd6df0c794025c2cada182782791849687556e8c1
                                              • Instruction Fuzzy Hash: 50B14A70E002598FDF10CFA9C88979DFBF1BF48714F248129D916EB294EB759895CB81
                                              Function 017E3E88 Relevance: .2, Instructions: 236COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4572673897.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_17e0000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 98f40bc0e8c7c9cd1a3c42a3570931b0ceab85e06a47dc25d2c64ca55d011b94
                                              • Instruction ID: 8f91e552ed8290fa49800a3e2269a3c0ce47903fad1f9362b18f0a8972704ca3
                                              • Opcode Fuzzy Hash: 98f40bc0e8c7c9cd1a3c42a3570931b0ceab85e06a47dc25d2c64ca55d011b94
                                              • Instruction Fuzzy Hash: 7C912770E002499FDF10CFA9C9897AEFBF1BF88714F248129E415E7294EB749945CB91
                                              Function 017E9388 Relevance: .2, Instructions: 215COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4572673897.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_17e0000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a4e6b28f8335bfbd0d49934bc5f835541234f84a0d19cfcf341fcb8d67ad8c65
                                              • Instruction ID: 14f215cddda844f5cffa64470a8cfb961389be42d2be809d05caf1b22414b78c
                                              • Opcode Fuzzy Hash: a4e6b28f8335bfbd0d49934bc5f835541234f84a0d19cfcf341fcb8d67ad8c65
                                              • Instruction Fuzzy Hash: 3F818F71A002059FDB14DF69D888B9EFBF1FF88314F24C169EA09AB395DB719841CB90
                                              Function 017EC868 Relevance: .2, Instructions: 195COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4572673897.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_17e0000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a1a338779520933ecb07a02755b97a1cd34f46571b3778f07619875c37d76466
                                              • Instruction ID: a8881560db917fcbe76ffdbe5d02e361180c17444f43a875e1f3e961d6f38404
                                              • Opcode Fuzzy Hash: a1a338779520933ecb07a02755b97a1cd34f46571b3778f07619875c37d76466
                                              • Instruction Fuzzy Hash: 5361D536E1056A8FDB16CB5CC9946BDF7F2EF88310F19896AC456AB242C334AD45C790
                                              Function 017E4820 Relevance: .2, Instructions: 180COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4572673897.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_17e0000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 12146314363ce4bc7b0212a0625f8ef22881540ac150d1c5d9a509e9a84d2cd3
                                              • Instruction ID: 343ed3fa106ebfef41e8ac5885fab01d8a117f845c40ae7c8834c8d59868bfc8
                                              • Opcode Fuzzy Hash: 12146314363ce4bc7b0212a0625f8ef22881540ac150d1c5d9a509e9a84d2cd3
                                              • Instruction Fuzzy Hash: 557157B1E002499FDF10CFA9C88879EFBF2AF88714F148129E416E7254EB749942CB95
                                              Function 017E4814 Relevance: .2, Instructions: 180COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4572673897.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_17e0000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e6ea9ce375806452e0acbfdd8fa051882d120c0e9fb923caf7e3744807174bfe
                                              • Instruction ID: 68aad202aeab8e4807bad28b3bc76cbcfad27a93b1fa07f15247800bfa9bdc6a
                                              • Opcode Fuzzy Hash: e6ea9ce375806452e0acbfdd8fa051882d120c0e9fb923caf7e3744807174bfe
                                              • Instruction Fuzzy Hash: 247156B1E002499FDF10CFA8C88979EFBF2AF88714F148129E416E7254EB749942CB95
                                              Function 017EF02D Relevance: .1, Instructions: 141COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4572673897.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_17e0000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 122ff42eb206d07ef34441986b194e2c6ea0d99892df12cfbd6012acccda31be
                                              • Instruction ID: 61b4ac5932fe332fd3f822a1557148ff0089852c123e4b8b851cd15169de5ca0
                                              • Opcode Fuzzy Hash: 122ff42eb206d07ef34441986b194e2c6ea0d99892df12cfbd6012acccda31be
                                              • Instruction Fuzzy Hash: D841C030B0020A8FDB199B38D858A6EBBF2AF8D744F24846DD406DB385EE35DC46C790
                                              Function 017E91D8 Relevance: .1, Instructions: 139COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4572673897.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_17e0000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5faf8774f3197a1b7b88d03734c67c870a54180ac4d6fc73b9c33694ba98e1e2
                                              • Instruction ID: 7801e7b0008d82197c20fca8e6321174add2134c9caa9080f613bf0dd8305991
                                              • Opcode Fuzzy Hash: 5faf8774f3197a1b7b88d03734c67c870a54180ac4d6fc73b9c33694ba98e1e2
                                              • Instruction Fuzzy Hash: 6441B932B052469BDF318AACD48876FF7F5FB89214F20482AD61ADB395D634DC418791
                                              Function 017E6CEB Relevance: .1, Instructions: 134COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4572673897.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_17e0000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e74dac53489ab5da8415126d7de54f7f6026225bc966e1b6ab81fe8f51bbe13e
                                              • Instruction ID: c470d2e69c2521cca19211662ef0e6609dabf334a0406b6a3edfebfa459f6e03
                                              • Opcode Fuzzy Hash: e74dac53489ab5da8415126d7de54f7f6026225bc966e1b6ab81fe8f51bbe13e
                                              • Instruction Fuzzy Hash: EB5103B0D002188FDF14CFA9C849B9DFBF1BF48314F148129E815AB391D7B4A884CB95
                                              Function 017E6CF0 Relevance: .1, Instructions: 132COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4572673897.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_17e0000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9ea7ebe537b0fa55cd5ddc212267ca46159f058d9071eb99d12a4fe7f26e0e6a
                                              • Instruction ID: 88874024f640698d23321b0e205dfa890cbee32f35ddf14e4a122abb7b773e0d
                                              • Opcode Fuzzy Hash: 9ea7ebe537b0fa55cd5ddc212267ca46159f058d9071eb99d12a4fe7f26e0e6a
                                              • Instruction Fuzzy Hash: 5D51F3B4D102588FDF14CFA9D848B9DFBF1BF48314F548129E815AB391D7B4A884CB95
                                              Function 017E1128 Relevance: .1, Instructions: 122COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4572673897.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_17e0000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5d9759e8feff62d6dac0c9451d1c66085d28871fbe738d3f2a0839087801d177
                                              • Instruction ID: fa9d8d18cb05e245ec89604e7f8cd95de664d3444057bb129e885c44a738990b
                                              • Opcode Fuzzy Hash: 5d9759e8feff62d6dac0c9451d1c66085d28871fbe738d3f2a0839087801d177
                                              • Instruction Fuzzy Hash: 4951F870305242EFC73ADF2CFE889567FA1EB96305300B5ADD2045B266DA7E2D15CBA1
                                              Function 017E17D0 Relevance: .1, Instructions: 122COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4572673897.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_17e0000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 88a95259cf5a395abb128d3c98e7ff43ea523a26340d34e04e52104fa7ddb953
                                              • Instruction ID: 92483e723e221c210382c8a9f4549620ff39c066f620f1dd6aa360d5c94ecaed
                                              • Opcode Fuzzy Hash: 88a95259cf5a395abb128d3c98e7ff43ea523a26340d34e04e52104fa7ddb953
                                              • Instruction Fuzzy Hash: 4841E370B40202DBDB21DB3CE98D65EBBE6EB8C754F501529E90AC7245EB3DDD018B91
                                              Function 017E71E8 Relevance: .1, Instructions: 121COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4572673897.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_17e0000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9013325def1b714d89697a683fbfed531a1a12d546185b25964581372a03526b
                                              • Instruction ID: 5c6e3c97801a5d03ca8ba6b3a0cfdd5ea9b233fe3244fb1dfab0dc6beb1c71b1
                                              • Opcode Fuzzy Hash: 9013325def1b714d89697a683fbfed531a1a12d546185b25964581372a03526b
                                              • Instruction Fuzzy Hash: 7C41A230E0424ADBDB19DBA8D44879EF7F6FF89314F208569E801EB245EB759842CB80
                                              Function 017E1138 Relevance: .1, Instructions: 112COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4572673897.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_17e0000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5feac80d8e823b4d6c51f6a67d3dea285b7e89ab2c9d3d2c419c364d36213a38
                                              • Instruction ID: 1c6b1398f8ecfa54cbb754ebcaf25e83f967537e68bb092164ab74fb3abf0504
                                              • Opcode Fuzzy Hash: 5feac80d8e823b4d6c51f6a67d3dea285b7e89ab2c9d3d2c419c364d36213a38
                                              • Instruction Fuzzy Hash: 5F51D770305142EFC73ADF2CFE889567FA1EB95306300B5A9D2085B266DE7E2D15CBA1
                                              Function 017E4F98 Relevance: .1, Instructions: 107COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4572673897.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_17e0000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c5c357bd3eddf44c96577d3d00994f34489b353fc140679d31b6dacdb7bf29c2
                                              • Instruction ID: 3d19fa3988384ab989a16582ccc887a130a924cde0808246818daf85c7e774e2
                                              • Opcode Fuzzy Hash: c5c357bd3eddf44c96577d3d00994f34489b353fc140679d31b6dacdb7bf29c2
                                              • Instruction Fuzzy Hash: 79416B35600249CFDB25DB78C918B9EBBF1EF89218F2444A9E506DB361DA369C01CB91
                                              Function 017E71F8 Relevance: .1, Instructions: 95COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4572673897.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_17e0000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a068304513b86d7789a5b96030ac2237dc6f63813fa0d7c7d0a54e7aac05b97f
                                              • Instruction ID: 032a30f6903a09735c0c628befaa971375e0e757192f62e2b2b3ab5e46e569d5
                                              • Opcode Fuzzy Hash: a068304513b86d7789a5b96030ac2237dc6f63813fa0d7c7d0a54e7aac05b97f
                                              • Instruction Fuzzy Hash: CC316030E042199BDB19CBA8D45969EF7F6EF89310F208565E906EB241EB719941CB90
                                              Function 017E26EC Relevance: .1, Instructions: 94COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4572673897.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_17e0000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 110a0d0f969f7e0e32fec1aa515f41e9989ee54f5a7b9f9c358622dacf46ca87
                                              • Instruction ID: 23dc5f02bb8c42c2cc0da54d61588cb59e4d150052192001b68fa9fcc6ebf1b9
                                              • Opcode Fuzzy Hash: 110a0d0f969f7e0e32fec1aa515f41e9989ee54f5a7b9f9c358622dacf46ca87
                                              • Instruction Fuzzy Hash: A1410FB0900349DFDB14CFA9C584ADEBFF5FF48714F248029E909AB254DB75A949CB90
                                              Function 017EEEFC Relevance: .1, Instructions: 93COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4572673897.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_17e0000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 5b49125ab4c38477069218d8c2e596e706f8d40c1b21e9d3005e6f5aff32b79e
                                              • Instruction ID: 7f0baac5bc933977585fcd582ee53c17f499ace165d20411739bd8084b636973
                                              • Opcode Fuzzy Hash: 5b49125ab4c38477069218d8c2e596e706f8d40c1b21e9d3005e6f5aff32b79e
                                              • Instruction Fuzzy Hash: 70316F34A106169BDB15CF69D89969EFBF2BF89310F10C929E806E7341DB71AC45CB50
                                              Function 017EEF00 Relevance: .1, Instructions: 91COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4572673897.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_17e0000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 30cbd403d1225fb627f01ce3b9cad8d17cdf2c4f3a72bb35abc7172da3a36a65
                                              • Instruction ID: f374770dd457029a873bb0eb0166ef127fa951da4cff17b618e1c26e2832d818
                                              • Opcode Fuzzy Hash: 30cbd403d1225fb627f01ce3b9cad8d17cdf2c4f3a72bb35abc7172da3a36a65
                                              • Instruction Fuzzy Hash: E7316D34A1061A9BDB15CF69D89969EFBF2BF88310F10C929E806E7341DB71AC45CB40
                                              Function 017E26F8 Relevance: .1, Instructions: 90COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4572673897.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_17e0000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4922da6c664ce1f83a0ee2b3c68065d5eb2f2a98bf8455565b70d1a52e4f65bc
                                              • Instruction ID: ed1139bfc204822f72db9927ed408f5650af4b7d9f633d25d07a989a57e565e8
                                              • Opcode Fuzzy Hash: 4922da6c664ce1f83a0ee2b3c68065d5eb2f2a98bf8455565b70d1a52e4f65bc
                                              • Instruction Fuzzy Hash: 1041EDB0D00349DFDB14CFA9C984A9EBBF5AF48310F208029E909AB254DB75A945CB90
                                              Function 017E50B8 Relevance: .1, Instructions: 89COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4572673897.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_17e0000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e09b191a70dc623ae6425a0ed753f41821c08f13b78414e8d0dda0f118da2dd7
                                              • Instruction ID: eb5a0208d4660fa4d32fd15164a0e0065013c84bc9cc98672d8fd8d26e51f188
                                              • Opcode Fuzzy Hash: e09b191a70dc623ae6425a0ed753f41821c08f13b78414e8d0dda0f118da2dd7
                                              • Instruction Fuzzy Hash: DB311A34700219CFDB25EB78D9186AEB7F2AF4C244F5004A8D501AB3A4EF3ADD01CBA1
                                              Function 017E50A8 Relevance: .1, Instructions: 89COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4572673897.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_17e0000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 663cc71b5143f4f5f24bffbf57e307f23947587cfa006ae107c785782b58bc7a
                                              • Instruction ID: fe4a4512370b2eaadf819a3389836ca6d84382dd921f2f2841e2b691e5a5392a
                                              • Opcode Fuzzy Hash: 663cc71b5143f4f5f24bffbf57e307f23947587cfa006ae107c785782b58bc7a
                                              • Instruction Fuzzy Hash: C4310B34700259CFDB65DB38D5586AEB7F2AF8C248F5004A9D502EB3A4DB3ADD41CBA1
                                              Function 017E149C Relevance: .1, Instructions: 87COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4572673897.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_17e0000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3dc6741981f5f1ca6aa15fee926c2bdbd84b4b16a719c800421df12ad9e87d59
                                              • Instruction ID: 49bc90c93128094edb596be015881b21e4394aee3584dec3e461d520ce913bd0
                                              • Opcode Fuzzy Hash: 3dc6741981f5f1ca6aa15fee926c2bdbd84b4b16a719c800421df12ad9e87d59
                                              • Instruction Fuzzy Hash: 9921B431B002028BDF329BBC944D3AEBBE5EB4E215F54047AE80AD7345E735C881CB91
                                              Function 017E8D51 Relevance: .1, Instructions: 81COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4572673897.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_17e0000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7a0f8273676a9bdaf4d16e6a259fb3666e1c617674735ee0ac2bf105e98d0fbd
                                              • Instruction ID: 247f985f0ffe7498cef2ba0ec057f15e9e9f06b3e37b9f67dd2222b058971168
                                              • Opcode Fuzzy Hash: 7a0f8273676a9bdaf4d16e6a259fb3666e1c617674735ee0ac2bf105e98d0fbd
                                              • Instruction Fuzzy Hash: 40315E30E0020A9BDB16CF69D99879EF7F2FF9D300F10C629E805AB251DB719885CB91
                                              Function 017E8D58 Relevance: .1, Instructions: 78COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4572673897.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_17e0000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4436f4e92c7b54bad24a47a6142da1c027bab66037522ec6b7b7ae4d3c1aa79c
                                              • Instruction ID: 5a154707888ad80e728b18a2212c7deb099260242de00bfa5e6ac169d05f5b53
                                              • Opcode Fuzzy Hash: 4436f4e92c7b54bad24a47a6142da1c027bab66037522ec6b7b7ae4d3c1aa79c
                                              • Instruction Fuzzy Hash: 80214D30A1020A9BDB16CF69D99879EF7F2FF8D300F108629E805AB251DB719885CB91
                                              Function 017E8C49 Relevance: .1, Instructions: 78COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4572673897.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_17e0000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7d1c3d5f162f6c880074b74fe11bbb6312f2d7c2635a05b6aea49145aeedd67b
                                              • Instruction ID: 7b21ddffc257fed3d1921a91934f4a4998800061ab040bc0bc1edccea1455acb
                                              • Opcode Fuzzy Hash: 7d1c3d5f162f6c880074b74fe11bbb6312f2d7c2635a05b6aea49145aeedd67b
                                              • Instruction Fuzzy Hash: E321B570E012199BCB06CFA8C8446DEF7F2AF8E300F50855AE812FB351DB719846CB91
                                              Function 017E1380 Relevance: .1, Instructions: 77COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4572673897.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_17e0000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0c311a55619ad45a75e2712850c99b176c9d90fc8bbb5a7018a55efeddaf1681
                                              • Instruction ID: c4a197497892c4f716627bdcaefd58b99ce4bd0517c0dcca3a957827f043a63f
                                              • Opcode Fuzzy Hash: 0c311a55619ad45a75e2712850c99b176c9d90fc8bbb5a7018a55efeddaf1681
                                              • Instruction Fuzzy Hash: A8217170A00301DBDB32567CE44D7697BE1EB4B359F90186AE90AC7396DA3D8984CB42
                                              Function 017E16B0 Relevance: .1, Instructions: 74COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4572673897.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_17e0000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9451132854a65dd2f9fa5f0897471f8ccf319c0dbfd556038a11fc62ee7c7d7d
                                              • Instruction ID: 57e3909bcc45ed685a90fe1062ec325da7d5e608c00cd28ff0971edcd69b11cd
                                              • Opcode Fuzzy Hash: 9451132854a65dd2f9fa5f0897471f8ccf319c0dbfd556038a11fc62ee7c7d7d
                                              • Instruction Fuzzy Hash: BD21C470700202DBEB31D73CF98C75A7BE6EB89714F406929E40AC7256EA3D9C41CB81
                                              Function 0160D01C Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4572112864.000000000160D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0160D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_160d000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9f73695cb12c2eb2cfe0c0c14734ca7d61e940861e5483662e076b0dc19d2048
                                              • Instruction ID: c2074e5108b3db7851e4ab3ffdccb6d262bbc0fffe880e7ae56892c93242f60f
                                              • Opcode Fuzzy Hash: 9f73695cb12c2eb2cfe0c0c14734ca7d61e940861e5483662e076b0dc19d2048
                                              • Instruction Fuzzy Hash: BF210075604200EFDB1ADF98D980B27BB65EB84314F20C66DD90E4B392C37AD447CA61
                                              Function 017E1888 Relevance: .1, Instructions: 72COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4572673897.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_17e0000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 19f4b1bf9c37d9a9b09c7ce1f05b40a7012a41fe9bc48d26d67f939a69e5b712
                                              • Instruction ID: ba44cbaf0262ce6b2f9d4542b9e38b2db8225fe6385f0eb387608daaab674c7d
                                              • Opcode Fuzzy Hash: 19f4b1bf9c37d9a9b09c7ce1f05b40a7012a41fe9bc48d26d67f939a69e5b712
                                              • Instruction Fuzzy Hash: FD218131701285CFDF65EB78D55969EBBF1AF4D204F9004A9C106EB361DB368D41CB61
                                              Function 017E1898 Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4572673897.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_17e0000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0d4142edf6c56dca5d920c2ddd533244969f21d3b1eb002392891499efad72a6
                                              • Instruction ID: e7b533c1dbbe7de3c85d326aced07ca4de7df68375aa86b37432aed8dfb68206
                                              • Opcode Fuzzy Hash: 0d4142edf6c56dca5d920c2ddd533244969f21d3b1eb002392891499efad72a6
                                              • Instruction Fuzzy Hash: 93213D30B00245CFDB64DB78D55A6AEB7F6AF4D245F5004A8C106EB364EF368D41CBA1
                                              Function 017E8C58 Relevance: .1, Instructions: 70COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4572673897.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_17e0000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 52aee0d955f267b235ea41f93192b8a8ae2349b7ad41ae071874d7496a91eff1
                                              • Instruction ID: dd077137ecb3d6d43f46ccaa4edaa8a7378aeb4b59e0f357926a4a04ae685c5f
                                              • Opcode Fuzzy Hash: 52aee0d955f267b235ea41f93192b8a8ae2349b7ad41ae071874d7496a91eff1
                                              • Instruction Fuzzy Hash: BB218030E0160A9BDB19CFA8C85869EF7F2AF8D310F10C56AE811F7350DB719841CB91
                                              Function 017E6B97 Relevance: .1, Instructions: 69COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4572673897.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_17e0000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1eaa45f799bb85d677656da08a001d9d779deb3986de6f3b02a9d8be1d7ff917
                                              • Instruction ID: 9c29d73983afaaa595a737c4a93e861e00ecbd823a95b20c6230946d18a5a807
                                              • Opcode Fuzzy Hash: 1eaa45f799bb85d677656da08a001d9d779deb3986de6f3b02a9d8be1d7ff917
                                              • Instruction Fuzzy Hash: 392105316093919FC716AB38842826ABFF1EF8B204B0544EFD445CB2A6EE758806C791
                                              Function 017E16C0 Relevance: .1, Instructions: 69COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4572673897.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_17e0000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 38158e23fb30094ce489bf53ad6bb66765a9554683d1510f4d9d4aaf58bb1bd5
                                              • Instruction ID: be4ee870f3c5cf6e590618974ae1e9374758b074b3f0061f121f55b7394c7867
                                              • Opcode Fuzzy Hash: 38158e23fb30094ce489bf53ad6bb66765a9554683d1510f4d9d4aaf58bb1bd5
                                              • Instruction Fuzzy Hash: FA219D307001029BEB31DA3CF98CB597BD6EB8C754F406929E90ACB256EA7D9C518B91
                                              Function 017E4FA8 Relevance: .1, Instructions: 68COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4572673897.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_17e0000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4b9522293dcdf33b9469a9f6ead6ce892d6c7d43130ff14240d801bac00e8684
                                              • Instruction ID: cc7b72ea9b45f8e170a7d881804fa6282330ccc626ee815ea0b2fae8602f1357
                                              • Opcode Fuzzy Hash: 4b9522293dcdf33b9469a9f6ead6ce892d6c7d43130ff14240d801bac00e8684
                                              • Instruction Fuzzy Hash: 5B211934700208CFDB64DB78D95CAADBBF1EB4D619B1004A9E506EB364DB369D40CBA1
                                              Function 017E0838 Relevance: .1, Instructions: 64COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4572673897.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_17e0000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3683bb938cd86a88ef13980a5e1b7eab74e81fa7357f8869636b273ac5c3a678
                                              • Instruction ID: 94b0ed9444efb995de338fbea43703a95556d3b0ca4fa7b554c1ebaf702a45d4
                                              • Opcode Fuzzy Hash: 3683bb938cd86a88ef13980a5e1b7eab74e81fa7357f8869636b273ac5c3a678
                                              • Instruction Fuzzy Hash: 3411C830B413054FEF265A7C941876A77E0EB8A214F24497EE046CF243D6A5CC418FC1
                                              Function 0160D006 Relevance: .1, Instructions: 62COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4572112864.000000000160D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0160D000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_160d000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 70dbeb1bf0799e3035dd56484360466294dba98e40d6f4473469c050bf959bc4
                                              • Instruction ID: 3be7e1db3554a0328fa91c42e1c8f064101d73bf86ce7a03564075b8f16a620d
                                              • Opcode Fuzzy Hash: 70dbeb1bf0799e3035dd56484360466294dba98e40d6f4473469c050bf959bc4
                                              • Instruction Fuzzy Hash: D32192755093808FCB07CF64D990716BF71EB46214F28C6DAD8498F6A7C33AD80ACB62
                                              Function 017E0848 Relevance: .1, Instructions: 62COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4572673897.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_17e0000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8af730221c89cc500b1b613b784b596cd3606bb04167be4375211c19885138b6
                                              • Instruction ID: f142665c3d4a20c0d40ca06b53974f95aa24003a12dd692d776f06065ec0f86e
                                              • Opcode Fuzzy Hash: 8af730221c89cc500b1b613b784b596cd3606bb04167be4375211c19885138b6
                                              • Instruction Fuzzy Hash: 2F119E30B402098BEF259A7DD85876AB6E5FB8D714F204979E146CF246DAA9CC818FC1
                                              Function 017E14A8 Relevance: .1, Instructions: 53COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4572673897.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_17e0000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0e7ee1eca3b89dceccfc7a89f9a78d1a923ea122c344a68f297c24d99e6948e8
                                              • Instruction ID: 945a3a8eaebab1b3ed3ff347756eb27bad28f8805cbe5120a2ed8de41765c3f4
                                              • Opcode Fuzzy Hash: 0e7ee1eca3b89dceccfc7a89f9a78d1a923ea122c344a68f297c24d99e6948e8
                                              • Instruction Fuzzy Hash: 62014031B016158BCF21EFB884591ADFBF5EF4C214B6404BAE80AE7301E775D941CB91
                                              Function 017E7BF3 Relevance: .0, Instructions: 38COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4572673897.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_17e0000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fc55d72977f21b3113048fc4cc963974e968a08b94162410cc4acfda31e03960
                                              • Instruction ID: d364e0fa8c7704bf2338c15bef266792b134befd27982f5c3fbbaff7461340ff
                                              • Opcode Fuzzy Hash: fc55d72977f21b3113048fc4cc963974e968a08b94162410cc4acfda31e03960
                                              • Instruction Fuzzy Hash: A2018F30A0024BEBDB15EBBCF98499C7BF1EB84340F5052BCC5056B291EE7A2E15DB81
                                              Function 017E1534 Relevance: .0, Instructions: 36COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4572673897.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_17e0000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2bb63d9c02db1cb2b9afc7e9973f3ba1a3476495448f6b16fa5df7dc8df1d7f0
                                              • Instruction ID: f7166f0f316960bcb2565504e59b979f372dd04e5a53f4ef1ad1e1e2c8cbd62d
                                              • Opcode Fuzzy Hash: 2bb63d9c02db1cb2b9afc7e9973f3ba1a3476495448f6b16fa5df7dc8df1d7f0
                                              • Instruction Fuzzy Hash: 26F0F033A04210CBDB12CBA8989A1ACFFF1EA6C2117AD00D7E907DB312D274E912CB51
                                              Function 017E7BF8 Relevance: .0, Instructions: 33COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.4572673897.00000000017E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 017E0000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_17e0000_skyT.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2c704d387cdfdd64670c90aa330e6debcc9cdeef3ce75acf58636396c974a698
                                              • Instruction ID: 803a2d1611a6908a644c061672b3bb778de25132bf487c79d2432e9e59bc8b4f
                                              • Opcode Fuzzy Hash: 2c704d387cdfdd64670c90aa330e6debcc9cdeef3ce75acf58636396c974a698
                                              • Instruction Fuzzy Hash: C8F03C30A0014BEFDB04EFB8F98499D7BB1EB84340F50627DC509A7250EE7A6E14DB91