Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Amended Order #60-230958400.exe

Overview

General Information

Sample name:Amended Order #60-230958400.exe
Analysis ID:1447830
MD5:4a345cee9677362bb87d2840ecd2991b
SHA1:8f3b6f82059eb1b39e31ac1c8099d0f09c884c2a
SHA256:f5bee238d5326bb4e83d23c618286e6c8163b7d796c7245ad27ad95eeb9a1ca5
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Loading BitLocker PowerShell Module
Modifies the context of a thread in another process (thread injection)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Amended Order #60-230958400.exe (PID: 2180 cmdline: "C:\Users\user\Desktop\Amended Order #60-230958400.exe" MD5: 4A345CEE9677362BB87D2840ECD2991B)
    • powershell.exe (PID: 7328 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Amended Order #60-230958400.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7396 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\BKTxiN.exe" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7816 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 7424 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BKTxiN" /XML "C:\Users\user\AppData\Local\Temp\tmp61BF.tmp" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 7440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 7572 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe MD5: DC67ADE51149EC0C373A379473895BA1)
      • WerFault.exe (PID: 7664 cmdline: C:\Windows\system32\WerFault.exe -u -p 7572 -s 12 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • BKTxiN.exe (PID: 7692 cmdline: C:\Users\user\AppData\Roaming\BKTxiN.exe MD5: 4A345CEE9677362BB87D2840ECD2991B)
    • schtasks.exe (PID: 7904 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BKTxiN" /XML "C:\Users\user\AppData\Local\Temp\tmp6FE8.tmp" MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 7912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 7956 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe MD5: DC67ADE51149EC0C373A379473895BA1)
      • WerFault.exe (PID: 7988 cmdline: C:\Windows\system32\WerFault.exe -u -p 7956 -s 12 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.gmail.com", "Username": "officestore2022@gmail.com", "Password": "xhcgmrubwdhylrry"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1677738266.0000000015992000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000000.00000002.1677738266.0000000015992000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.1677738266.0000000014007000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000002.1677738266.0000000014007000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          Process Memory Space: Amended Order #60-230958400.exe PID: 2180JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.Amended Order #60-230958400.exe.1409be60.7.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.Amended Order #60-230958400.exe.1409be60.7.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.Amended Order #60-230958400.exe.1409be60.7.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x31b02:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x31b74:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x31bfe:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x31c90:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x31cfa:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x31d6c:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x31e02:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x31e92:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                0.2.Amended Order #60-230958400.exe.140d6ca0.8.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.Amended Order #60-230958400.exe.140d6ca0.8.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 9 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
                    Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems): Data: Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe, ParentCommandLine: "C:\Users\user\Desktop\Amended Order #60-230958400.exe", ParentImage: C:\Users\user\Desktop\Amended Order #60-230958400.exe, ParentProcessId: 2180, ParentProcessName: Amended Order #60-230958400.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe, ProcessId: 7572, ProcessName: RegSvcs.exe
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Amended Order #60-230958400.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Amended Order #60-230958400.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Amended Order #60-230958400.exe", ParentImage: C:\Users\user\Desktop\Amended Order #60-230958400.exe, ParentProcessId: 2180, ParentProcessName: Amended Order #60-230958400.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Amended Order #60-230958400.exe", ProcessId: 7328, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Amended Order #60-230958400.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Amended Order #60-230958400.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Amended Order #60-230958400.exe", ParentImage: C:\Users\user\Desktop\Amended Order #60-230958400.exe, ParentProcessId: 2180, ParentProcessName: Amended Order #60-230958400.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Amended Order #60-230958400.exe", ProcessId: 7328, ProcessName: powershell.exe
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BKTxiN" /XML "C:\Users\user\AppData\Local\Temp\tmp6FE8.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BKTxiN" /XML "C:\Users\user\AppData\Local\Temp\tmp6FE8.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\BKTxiN.exe, ParentImage: C:\Users\user\AppData\Roaming\BKTxiN.exe, ParentProcessId: 7692, ParentProcessName: BKTxiN.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BKTxiN" /XML "C:\Users\user\AppData\Local\Temp\tmp6FE8.tmp", ProcessId: 7904, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BKTxiN" /XML "C:\Users\user\AppData\Local\Temp\tmp61BF.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BKTxiN" /XML "C:\Users\user\AppData\Local\Temp\tmp61BF.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Amended Order #60-230958400.exe", ParentImage: C:\Users\user\Desktop\Amended Order #60-230958400.exe, ParentProcessId: 2180, ParentProcessName: Amended Order #60-230958400.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BKTxiN" /XML "C:\Users\user\AppData\Local\Temp\tmp61BF.tmp", ProcessId: 7424, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Amended Order #60-230958400.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Amended Order #60-230958400.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Amended Order #60-230958400.exe", ParentImage: C:\Users\user\Desktop\Amended Order #60-230958400.exe, ParentProcessId: 2180, ParentProcessName: Amended Order #60-230958400.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Amended Order #60-230958400.exe", ProcessId: 7328, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BKTxiN" /XML "C:\Users\user\AppData\Local\Temp\tmp61BF.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BKTxiN" /XML "C:\Users\user\AppData\Local\Temp\tmp61BF.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Amended Order #60-230958400.exe", ParentImage: C:\Users\user\Desktop\Amended Order #60-230958400.exe, ParentProcessId: 2180, ParentProcessName: Amended Order #60-230958400.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BKTxiN" /XML "C:\Users\user\AppData\Local\Temp\tmp61BF.tmp", ProcessId: 7424, ProcessName: schtasks.exe

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 0.2.Amended Order #60-230958400.exe.140d6ca0.8.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.gmail.com", "Username": "officestore2022@gmail.com", "Password": "xhcgmrubwdhylrry"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeReversingLabs: Detection: 26%
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeVirustotal: Detection: 36%Perma Link
                    Multi AV Scanner detection for submitted file
                    Source: Amended Order #60-230958400.exeReversingLabs: Detection: 26%
                    Source: Amended Order #60-230958400.exeVirustotal: Detection: 36%Perma Link
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 96.6% probability
                    Source: Amended Order #60-230958400.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 0.2.Amended Order #60-230958400.exe.140d6ca0.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Amended Order #60-230958400.exe.1409be60.7.raw.unpack, type: UNPACKEDPE
                    Source: unknownDNS traffic detected: query: 56.126.166.20.in-addr.arpa replaycode: Name error (3)
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficDNS traffic detected: DNS query: 56.126.166.20.in-addr.arpa
                    Source: Amended Order #60-230958400.exe, BKTxiN.exe.0.drString found in binary or memory: http://feeds.soundcloud.com/users/soundcloud:users:38128127/sounds.rss
                    Source: Amended Order #60-230958400.exe, 00000000.00000002.1674112844.0000000003DBB000.00000004.00000800.00020000.00000000.sdmp, BKTxiN.exe, 0000000C.00000002.1709607171.0000000003CF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: Amended Order #60-230958400.exe, 00000000.00000002.1682859394.000000001DDB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: Amended Order #60-230958400.exe, 00000000.00000002.1682859394.000000001DDB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: Amended Order #60-230958400.exe, 00000000.00000002.1682859394.000000001DDB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: Amended Order #60-230958400.exe, 00000000.00000002.1682859394.000000001DDB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: Amended Order #60-230958400.exe, 00000000.00000002.1682859394.000000001DDB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: Amended Order #60-230958400.exe, 00000000.00000002.1682859394.000000001DDB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: Amended Order #60-230958400.exe, 00000000.00000002.1682859394.000000001DDB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                    Source: Amended Order #60-230958400.exe, 00000000.00000002.1682859394.000000001DDB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: Amended Order #60-230958400.exe, 00000000.00000002.1682859394.000000001DDB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: Amended Order #60-230958400.exe, 00000000.00000002.1682859394.000000001DDB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: Amended Order #60-230958400.exe, 00000000.00000002.1682859394.000000001DDB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: Amended Order #60-230958400.exe, 00000000.00000002.1682859394.000000001DDB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: Amended Order #60-230958400.exe, 00000000.00000002.1682859394.000000001DDB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: Amended Order #60-230958400.exe, 00000000.00000002.1682859394.000000001DDB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: Amended Order #60-230958400.exe, 00000000.00000002.1682859394.000000001DDB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: Amended Order #60-230958400.exe, 00000000.00000002.1682859394.000000001DDB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: Amended Order #60-230958400.exe, 00000000.00000002.1682859394.000000001DDB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: Amended Order #60-230958400.exe, 00000000.00000002.1682859394.000000001DDB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: Amended Order #60-230958400.exe, 00000000.00000002.1682859394.000000001DDB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: Amended Order #60-230958400.exe, 00000000.00000002.1682859394.000000001DDB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: Amended Order #60-230958400.exe, 00000000.00000002.1682859394.000000001DDB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: Amended Order #60-230958400.exe, 00000000.00000002.1682859394.000000001DDB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: Amended Order #60-230958400.exe, 00000000.00000002.1682859394.000000001DDB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: Amended Order #60-230958400.exe, 00000000.00000002.1682859394.000000001DDB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: Amended Order #60-230958400.exe, 00000000.00000002.1682859394.000000001DDB2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: Amended Order #60-230958400.exe, 00000000.00000002.1677738266.0000000015992000.00000004.00000800.00020000.00000000.sdmp, Amended Order #60-230958400.exe, 00000000.00000002.1677738266.0000000014007000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: Amended Order #60-230958400.exe, 00000000.00000002.1677738266.0000000015992000.00000004.00000800.00020000.00000000.sdmp, Amended Order #60-230958400.exe, 00000000.00000002.1677738266.0000000014007000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.Amended Order #60-230958400.exe.140d6ca0.8.raw.unpack, R1W.cs.Net Code: XzfKyIvDT
                    Source: 0.2.Amended Order #60-230958400.exe.1409be60.7.raw.unpack, R1W.cs.Net Code: XzfKyIvDT

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.Amended Order #60-230958400.exe.1409be60.7.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Amended Order #60-230958400.exe.140d6ca0.8.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Amended Order #60-230958400.exe.140d6ca0.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Amended Order #60-230958400.exe.1409be60.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: Amended Order #60-230958400.exe
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeCode function: 12_2_00007FFD9BA28F92 NtUnmapViewOfSection,12_2_00007FFD9BA28F92
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeCode function: 0_2_00007FFD9BA198600_2_00007FFD9BA19860
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeCode function: 0_2_00007FFD9BA12AFA0_2_00007FFD9BA12AFA
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeCode function: 0_2_00007FFD9BA129F80_2_00007FFD9BA129F8
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeCode function: 0_2_00007FFD9BA129E80_2_00007FFD9BA129E8
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeCode function: 0_2_00007FFD9BA10E1D0_2_00007FFD9BA10E1D
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeCode function: 0_2_00007FFD9BA129980_2_00007FFD9BA12998
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeCode function: 0_2_00007FFD9BA1217A0_2_00007FFD9BA1217A
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeCode function: 0_2_00007FFD9BA12C920_2_00007FFD9BA12C92
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeCode function: 0_2_00007FFD9BA23B800_2_00007FFD9BA23B80
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeCode function: 12_2_00007FFD9BA1986012_2_00007FFD9BA19860
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeCode function: 12_2_00007FFD9BA10E1D12_2_00007FFD9BA10E1D
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7572 -s 12
                    Source: BKTxiN.exe.0.drStatic PE information: No import functions for PE file found
                    Source: Amended Order #60-230958400.exeStatic PE information: No import functions for PE file found
                    Source: Amended Order #60-230958400.exe, 00000000.00000002.1686863888.000000001E530000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Amended Order #60-230958400.exe
                    Source: Amended Order #60-230958400.exe, 00000000.00000002.1674018324.00000000038B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameAxiom.dll@ vs Amended Order #60-230958400.exe
                    Source: Amended Order #60-230958400.exe, 00000000.00000002.1673953631.0000000003890000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameReactionDiffusion.dll0 vs Amended Order #60-230958400.exe
                    Source: Amended Order #60-230958400.exe, 00000000.00000002.1677738266.0000000013D31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAxiom.dll@ vs Amended Order #60-230958400.exe
                    Source: Amended Order #60-230958400.exe, 00000000.00000002.1687213183.000000001FAA6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXEj% vs Amended Order #60-230958400.exe
                    Source: Amended Order #60-230958400.exe, 00000000.00000002.1677738266.0000000014007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename828fa1cf-c07a-41d9-8abe-44ba12064e60.exe4 vs Amended Order #60-230958400.exe
                    Source: Amended Order #60-230958400.exe, 00000000.00000002.1677738266.0000000014007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Amended Order #60-230958400.exe
                    Source: Amended Order #60-230958400.exe, 00000000.00000002.1674112844.0000000003DBB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename828fa1cf-c07a-41d9-8abe-44ba12064e60.exe4 vs Amended Order #60-230958400.exe
                    Source: Amended Order #60-230958400.exe, 00000000.00000002.1674112844.00000000041FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameReactionDiffusion.dll0 vs Amended Order #60-230958400.exe
                    Source: Amended Order #60-230958400.exe, 00000000.00000002.1674112844.0000000003D21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameReactionDiffusion.dll0 vs Amended Order #60-230958400.exe
                    Source: Amended Order #60-230958400.exeBinary or memory string: OriginalFilenameTiaK.exe( vs Amended Order #60-230958400.exe
                    Source: 0.2.Amended Order #60-230958400.exe.1409be60.7.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Amended Order #60-230958400.exe.140d6ca0.8.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Amended Order #60-230958400.exe.140d6ca0.8.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Amended Order #60-230958400.exe.1409be60.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: Amended Order #60-230958400.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: BKTxiN.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.Amended Order #60-230958400.exe.140d6ca0.8.raw.unpack, KLhJmaON.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Amended Order #60-230958400.exe.140d6ca0.8.raw.unpack, KLhJmaON.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Amended Order #60-230958400.exe.140d6ca0.8.raw.unpack, 7hO8luD.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Amended Order #60-230958400.exe.140d6ca0.8.raw.unpack, 7hO8luD.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Amended Order #60-230958400.exe.140d6ca0.8.raw.unpack, 7hO8luD.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Amended Order #60-230958400.exe.140d6ca0.8.raw.unpack, 7hO8luD.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Amended Order #60-230958400.exe.140d6ca0.8.raw.unpack, 9HIFdl.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Amended Order #60-230958400.exe.140d6ca0.8.raw.unpack, 9HIFdl.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@21/15@1/0
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeFile created: C:\Users\user\AppData\Roaming\BKTxiN.exeJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7336:120:WilError_03
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeMutant created: NULL
                    Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7572
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeMutant created: \Sessions\1\BaseNamedObjects\QpqBEleJWSYKJwPvqIBlnWf
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7404:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7912:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7440:120:WilError_03
                    Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7956
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeFile created: C:\Users\user\AppData\Local\Temp\tmp61BF.tmpJump to behavior
                    Source: Amended Order #60-230958400.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: Amended Order #60-230958400.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: Amended Order #60-230958400.exeReversingLabs: Detection: 26%
                    Source: Amended Order #60-230958400.exeVirustotal: Detection: 36%
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeFile read: C:\Users\user\Desktop\Amended Order #60-230958400.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\Amended Order #60-230958400.exe "C:\Users\user\Desktop\Amended Order #60-230958400.exe"
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Amended Order #60-230958400.exe"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\BKTxiN.exe"
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BKTxiN" /XML "C:\Users\user\AppData\Local\Temp\tmp61BF.tmp"
                    Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7572 -s 12
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\BKTxiN.exe C:\Users\user\AppData\Roaming\BKTxiN.exe
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BKTxiN" /XML "C:\Users\user\AppData\Local\Temp\tmp6FE8.tmp"
                    Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7956 -s 12
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Amended Order #60-230958400.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\BKTxiN.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BKTxiN" /XML "C:\Users\user\AppData\Local\Temp\tmp61BF.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BKTxiN" /XML "C:\Users\user\AppData\Local\Temp\tmp6FE8.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exeJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: Amended Order #60-230958400.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: Amended Order #60-230958400.exeStatic PE information: Image base 0x140000000 > 0x60000000
                    Source: Amended Order #60-230958400.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: Amended Order #60-230958400.exe, Form1.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
                    Source: Amended Order #60-230958400.exe, Form1.cs.Net Code: InitializeComponent contains xor as well as GetObject
                    Source: BKTxiN.exe.0.dr, Form1.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
                    Source: BKTxiN.exe.0.dr, Form1.cs.Net Code: InitializeComponent contains xor as well as GetObject
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeCode function: 0_2_00007FFD9BA10BD5 pushad ; iretd 0_2_00007FFD9BA10BFD
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeCode function: 12_2_00007FFD9BA1FD6E push ss; ret 12_2_00007FFD9BA1FD6F
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeCode function: 12_2_00007FFD9BA10BD5 pushad ; iretd 12_2_00007FFD9BA10BFD
                    Source: Amended Order #60-230958400.exeStatic PE information: section name: .text entropy: 7.972040894142059
                    Source: BKTxiN.exe.0.drStatic PE information: section name: .text entropy: 7.972040894142059
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeFile created: C:\Users\user\AppData\Roaming\BKTxiN.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BKTxiN" /XML "C:\Users\user\AppData\Local\Temp\tmp61BF.tmp"

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeMemory allocated: 14E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeMemory allocated: 1BD20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeMemory allocated: 1690000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeMemory allocated: 1BCF0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8618Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 925Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8500Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1117Jump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exe TID: 1908Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7540Thread sleep count: 8618 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7548Thread sleep count: 925 > 30Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7712Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7716Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exe TID: 7724Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: BKTxiN.exe, 0000000C.00000002.1714381872.000000001F7FC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: Amended Order #60-230958400.exe, 00000000.00000002.1677738266.0000000015992000.00000004.00000800.00020000.00000000.sdmp, Amended Order #60-230958400.exe, 00000000.00000002.1677738266.0000000014007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: hgfsZrw6
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exeProcess queried: DebugPort
                    Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exeProcess queried: DebugPort
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Amended Order #60-230958400.exe"
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\BKTxiN.exe"
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Amended Order #60-230958400.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\BKTxiN.exe"Jump to behavior
                    Modifies the context of a thread in another process (thread injection)
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeThread register set: target process: 7572Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeThread register set: target process: 7956Jump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe base: FE879AB010Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeMemory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe base: 4F3A83E010Jump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Amended Order #60-230958400.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\BKTxiN.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BKTxiN" /XML "C:\Users\user\AppData\Local\Temp\tmp61BF.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeProcess created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BKTxiN" /XML "C:\Users\user\AppData\Local\Temp\tmp6FE8.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exeJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Users\user\Desktop\Amended Order #60-230958400.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\BKTxiN.exeQueries volume information: C:\Users\user\AppData\Roaming\BKTxiN.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Amended Order #60-230958400.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.Amended Order #60-230958400.exe.1409be60.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Amended Order #60-230958400.exe.140d6ca0.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Amended Order #60-230958400.exe.140d6ca0.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Amended Order #60-230958400.exe.1409be60.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1677738266.0000000015992000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1677738266.0000000014007000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Amended Order #60-230958400.exe PID: 2180, type: MEMORYSTR
                    Source: Yara matchFile source: 0.2.Amended Order #60-230958400.exe.1409be60.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Amended Order #60-230958400.exe.140d6ca0.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Amended Order #60-230958400.exe.140d6ca0.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Amended Order #60-230958400.exe.1409be60.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1677738266.0000000015992000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1677738266.0000000014007000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Amended Order #60-230958400.exe PID: 2180, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.Amended Order #60-230958400.exe.1409be60.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Amended Order #60-230958400.exe.140d6ca0.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Amended Order #60-230958400.exe.140d6ca0.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Amended Order #60-230958400.exe.1409be60.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1677738266.0000000015992000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1677738266.0000000014007000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Amended Order #60-230958400.exe PID: 2180, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		211
                    Process Injection                    		1
                    Masquerading                    		1
                    Input Capture                    		111
                    Security Software Discovery                    		Remote Services1
                    Input Capture                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/Job1
                    DLL Side-Loading                    		1
                    Scheduled Task/Job                    		11
                    Disable or Modify Tools                    		LSASS Memory1
                    Process Discovery                    		Remote Desktop Protocol11
                    Archive Collected Data                    		1
                    Non-Application Layer Protocol                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    DLL Side-Loading                    		41
                    Virtualization/Sandbox Evasion                    		Security Account Manager41
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin SharesData from Network Shared Drive1
                    Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook211
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Deobfuscate/Decode Files or Information                    		LSA Secrets1
                    File and Directory Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                    Obfuscated Files or Information                    		Cached Domain Credentials12
                    System Information Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                    Software Packing                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    DLL Side-Loading                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1447830 Sample: Amended Order #60-230958400.exe Startdate: 27/05/2024 Architecture: WINDOWS Score: 100 45 56.126.166.20.in-addr.arpa 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Sigma detected: Scheduled temp file as task from temp location 2->51 53 11 other signatures 2->53 8 Amended Order #60-230958400.exe 7 2->8         started        12 BKTxiN.exe 5 2->12         started        signatures3 process4 file5 41 C:\Users\user\AppData\Roaming\BKTxiN.exe, PE32+ 8->41 dropped 43 C:\Users\user\AppData\Local\...\tmp61BF.tmp, XML 8->43 dropped 55 Writes to foreign memory regions 8->55 57 Modifies the context of a thread in another process (thread injection) 8->57 59 Adds a directory exclusion to Windows Defender 8->59 14 powershell.exe 23 8->14         started        17 powershell.exe 23 8->17         started        19 schtasks.exe 1 8->19         started        21 RegSvcs.exe 8->21         started        61 Multi AV Scanner detection for dropped file 12->61 23 schtasks.exe 1 12->23         started        25 RegSvcs.exe 12->25         started        signatures6 process7 signatures8 63 Loading BitLocker PowerShell Module 14->63 27 WmiPrvSE.exe 14->27         started        29 conhost.exe 14->29         started        31 conhost.exe 17->31         started        33 conhost.exe 19->33         started        35 WerFault.exe 2 21->35         started        37 conhost.exe 23->37         started        39 WerFault.exe 25->39         started        process9

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    Amended Order #60-230958400.exe26%ReversingLabsWin64.Trojan.Generic
                    Amended Order #60-230958400.exe37%VirustotalBrowse

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\BKTxiN.exe26%ReversingLabsWin64.Trojan.Generic
                    C:\Users\user\AppData\Roaming\BKTxiN.exe37%VirustotalBrowse

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    56.126.166.20.in-addr.arpa3%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://www.apache.org/licenses/LICENSE-2.00%URL Reputationsafe
                    http://www.apache.org/licenses/LICENSE-2.00%URL Reputationsafe
                    http://www.fontbureau.com0%URL Reputationsafe
                    http://www.fontbureau.com/designersG0%URL Reputationsafe
                    http://www.fontbureau.com/designers/?0%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    https://account.dyn.com/0%URL Reputationsafe
                    http://www.fontbureau.com/designers?0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.fontbureau.com/designers0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.fontbureau.com/designers/cabarga.htmlN0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    https://api.ipify.org0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.fontbureau.com/designers80%URL Reputationsafe
                    http://www.fonts.com0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    http://feeds.soundcloud.com/users/soundcloud:users:38128127/sounds.rss0%Avira URL Cloudsafe
                    http://feeds.soundcloud.com/users/soundcloud:users:38128127/sounds.rss0%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    56.126.166.20.in-addr.arpa
                    		unknown
                    		unknownfalseunknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.apache.org/licenses/LICENSE-2.0Amended Order #60-230958400.exe, 00000000.00000002.1682859394.000000001DDB2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.comAmended Order #60-230958400.exe, 00000000.00000002.1682859394.000000001DDB2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designersGAmended Order #60-230958400.exe, 00000000.00000002.1682859394.000000001DDB2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers/?Amended Order #60-230958400.exe, 00000000.00000002.1682859394.000000001DDB2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cn/bTheAmended Order #60-230958400.exe, 00000000.00000002.1682859394.000000001DDB2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://account.dyn.com/Amended Order #60-230958400.exe, 00000000.00000002.1677738266.0000000015992000.00000004.00000800.00020000.00000000.sdmp, Amended Order #60-230958400.exe, 00000000.00000002.1677738266.0000000014007000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers?Amended Order #60-230958400.exe, 00000000.00000002.1682859394.000000001DDB2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.tiro.comAmended Order #60-230958400.exe, 00000000.00000002.1682859394.000000001DDB2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designersAmended Order #60-230958400.exe, 00000000.00000002.1682859394.000000001DDB2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.goodfont.co.krAmended Order #60-230958400.exe, 00000000.00000002.1682859394.000000001DDB2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.carterandcone.comlAmended Order #60-230958400.exe, 00000000.00000002.1682859394.000000001DDB2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.sajatypeworks.comAmended Order #60-230958400.exe, 00000000.00000002.1682859394.000000001DDB2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.typography.netDAmended Order #60-230958400.exe, 00000000.00000002.1682859394.000000001DDB2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers/cabarga.htmlNAmended Order #60-230958400.exe, 00000000.00000002.1682859394.000000001DDB2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cn/cTheAmended Order #60-230958400.exe, 00000000.00000002.1682859394.000000001DDB2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.galapagosdesign.com/staff/dennis.htmAmended Order #60-230958400.exe, 00000000.00000002.1682859394.000000001DDB2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://api.ipify.orgAmended Order #60-230958400.exe, 00000000.00000002.1677738266.0000000015992000.00000004.00000800.00020000.00000000.sdmp, Amended Order #60-230958400.exe, 00000000.00000002.1677738266.0000000014007000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cnAmended Order #60-230958400.exe, 00000000.00000002.1682859394.000000001DDB2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers/frere-user.htmlAmended Order #60-230958400.exe, 00000000.00000002.1682859394.000000001DDB2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/Amended Order #60-230958400.exe, 00000000.00000002.1682859394.000000001DDB2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.galapagosdesign.com/DPleaseAmended Order #60-230958400.exe, 00000000.00000002.1682859394.000000001DDB2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers8Amended Order #60-230958400.exe, 00000000.00000002.1682859394.000000001DDB2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fonts.comAmended Order #60-230958400.exe, 00000000.00000002.1682859394.000000001DDB2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.sandoll.co.krAmended Order #60-230958400.exe, 00000000.00000002.1682859394.000000001DDB2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.urwpp.deDPleaseAmended Order #60-230958400.exe, 00000000.00000002.1682859394.000000001DDB2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.zhongyicts.com.cnAmended Order #60-230958400.exe, 00000000.00000002.1682859394.000000001DDB2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://feeds.soundcloud.com/users/soundcloud:users:38128127/sounds.rssAmended Order #60-230958400.exe, BKTxiN.exe.0.drfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameAmended Order #60-230958400.exe, 00000000.00000002.1674112844.0000000003DBB000.00000004.00000800.00020000.00000000.sdmp, BKTxiN.exe, 0000000C.00000002.1709607171.0000000003CF1000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.sakkal.comAmended Order #60-230958400.exe, 00000000.00000002.1682859394.000000001DDB2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown

                    World Map of Contacted IPs

                    No contacted IP infos

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1447830
                    Start date and time:2024-05-27 08:58:08 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 6m 9s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:23
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:Amended Order #60-230958400.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@21/15@1/0
                    EGA Information:
                    • Successful, ratio: 50%
                    HCA Information:
                    • Successful, ratio: 78%
                    • Number of executed functions: 142
                    • Number of non-executed functions: 7
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Execution Graph export aborted for target Amended Order #60-230958400.exe, PID 2180 because it is empty
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size getting too big, too many NtCreateKey calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    02:58:57API Interceptor2x Sleep call for process: Amended Order #60-230958400.exe modified
                    02:58:59API Interceptor36x Sleep call for process: powershell.exe modified
                    02:59:01API Interceptor2x Sleep call for process: BKTxiN.exe modified
                    07:58:59Task SchedulerRun new task: BKTxiN path: C:\Users\user\AppData\Roaming\BKTxiN.exe

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    No context

                    ASNs

                    No context

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Amended Order #60-230958400.exe.log

                    Download File
                    Process:C:\Users\user\Desktop\Amended Order #60-230958400.exe
                    File Type:CSV text
                    Category:dropped
                    Size (bytes):1510
                    Entropy (8bit):5.380493107040482
                    Encrypted:false
                    SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNl+84xp3/VclT:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAA
                    MD5:3C7E5782E6C100B90932CBDED08ADE42
                    SHA1:D498EE0833BB8C85592FB3B1E482267362DB3F74
                    SHA-256:361A6FF160343A2400F7D3FA4A009EA20C994B9788C190EB9D53E544BB376490
                    SHA-512:3A90D61631F4DC920860AEA31FDB5E56A102206311705D5D084E809D364F680B4E95F19CE9849D3F9CB3C2C273393FD2F2C67720BAAA885125EE358D59462B0A
                    Malicious:false
                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BKTxiN.exe.log

                    Download File
                    Process:C:\Users\user\AppData\Roaming\BKTxiN.exe
                    File Type:CSV text
                    Category:dropped
                    Size (bytes):1510
                    Entropy (8bit):5.380493107040482
                    Encrypted:false
                    SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNl+84xp3/VclT:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhAA
                    MD5:3C7E5782E6C100B90932CBDED08ADE42
                    SHA1:D498EE0833BB8C85592FB3B1E482267362DB3F74
                    SHA-256:361A6FF160343A2400F7D3FA4A009EA20C994B9788C190EB9D53E544BB376490
                    SHA-512:3A90D61631F4DC920860AEA31FDB5E56A102206311705D5D084E809D364F680B4E95F19CE9849D3F9CB3C2C273393FD2F2C67720BAAA885125EE358D59462B0A
                    Malicious:false
                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Download File
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:data
                    Category:modified
                    Size (bytes):64
                    Entropy (8bit):1.1940658735648508
                    Encrypted:false
                    SSDEEP:3:NlllulJnp/p:NllU
                    MD5:BC6DB77EB243BF62DC31267706650173
                    SHA1:9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF
                    SHA-256:5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27
                    SHA-512:91DC4935874ECA2A4C8DE303D83081FE945C590208BB844324D1E0C88068495E30AAE2321B3BA8A762BA08DAAEB75D9931522A47C5317766C27E6CE7D04BEEA9
                    Malicious:false
                    Preview:@...e.................................X..............@..........

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_alvetql5.tsi.ps1

                    Download File
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c0lcoygy.c0y.psm1

                    Download File
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_daaihad3.ti1.ps1

                    Download File
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hoyj4dd0.klh.psm1

                    Download File
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rptktlxf.sri.psm1

                    Download File
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tbjvb5s3.fgw.ps1

                    Download File
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v12ffaa0.wy1.ps1

                    Download File
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wzvsikpm.fdb.psm1

                    Download File
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\tmp61BF.tmp

                    Download File
                    Process:C:\Users\user\Desktop\Amended Order #60-230958400.exe
                    File Type:XML 1.0 document, ASCII text
                    Category:dropped
                    Size (bytes):1572
                    Entropy (8bit):5.109557621643775
                    Encrypted:false
                    SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtahxvn:cge1wYrFdOFzOzN33ODOiDdKrsuT2v
                    MD5:9E5F9054BC97350897B90B908FD8D5CB
                    SHA1:BD11041855ECF41ADB5E5F853497C4BD1FFA4F94
                    SHA-256:9BCBF3A0EBDB8CF3EA4DCF1432531C8F4FC89EE71DF452B7D92E30F6CA8F1915
                    SHA-512:1857F9FA0A01DAD8EADB207E7526064A58B4991142E50398A11D07DEDF669918C36DE829BDA7AD53615ABB9EC2581BDA2C2437D334EF162D2CF99BD5FC91A91F
                    Malicious:true
                    Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                    C:\Users\user\AppData\Local\Temp\tmp6FE8.tmp

                    Download File
                    Process:C:\Users\user\AppData\Roaming\BKTxiN.exe
                    File Type:XML 1.0 document, ASCII text
                    Category:dropped
                    Size (bytes):1572
                    Entropy (8bit):5.109557621643775
                    Encrypted:false
                    SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtahxvn:cge1wYrFdOFzOzN33ODOiDdKrsuT2v
                    MD5:9E5F9054BC97350897B90B908FD8D5CB
                    SHA1:BD11041855ECF41ADB5E5F853497C4BD1FFA4F94
                    SHA-256:9BCBF3A0EBDB8CF3EA4DCF1432531C8F4FC89EE71DF452B7D92E30F6CA8F1915
                    SHA-512:1857F9FA0A01DAD8EADB207E7526064A58B4991142E50398A11D07DEDF669918C36DE829BDA7AD53615ABB9EC2581BDA2C2437D334EF162D2CF99BD5FC91A91F
                    Malicious:false
                    Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                    C:\Users\user\AppData\Roaming\BKTxiN.exe

                    Download File
                    Process:C:\Users\user\Desktop\Amended Order #60-230958400.exe
                    File Type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):692736
                    Entropy (8bit):7.96714897107417
                    Encrypted:false
                    SSDEEP:12288:4X8zViLZJsOnfWytRbYGV8DFnW2/wVJE8700kolAjp3B+nBPObIPCDKf:FzViDLfWytRbYMGnz/t870QAlBg2bh4
                    MD5:4A345CEE9677362BB87D2840ECD2991B
                    SHA1:8F3B6F82059EB1B39E31AC1C8099D0F09C884C2A
                    SHA-256:F5BEE238D5326BB4E83D23C618286E6C8163B7D796C7245AD27AD95EEB9A1CA5
                    SHA-512:1349869502D7ACFF5BD6CD12E309A2DBFA2386B87463B14DD75F0AB8BAF293A6E4FAC01A11AFD85177CBF10835B668EB0F73CB40DC272A782D7264953FA9554B
                    Malicious:true
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 26%
                    • Antivirus: Virustotal, Detection: 37%, Browse
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Sf.........."...0..t............... .....@..... ....................................@...@......@............... ..................................|............................................................................................ ..H............text....r... ...t.................. ..`.rsrc...|............v..............@..@........................................H........S...<......D......................................................}.....(.......(......{.....o.....*....0...........s#.....o.....*..0..F.........{....o....(....-..{....o.......+....,...{....o......+..r...p(....&.*...0..8.........u.......2o.....sH....s9......{....o....oF......o.....*r..{.....o......{.....o ....*....0............{.....o .....o!........,..rk..p.o!...o"...(#...(....&.+[..o$........,A..o$...t......{.....o<...o%.....{.....o>...o%.....{.....o&.....+.ry..p(....&.*..

                    C:\Users\user\AppData\Roaming\BKTxiN.exe:Zone.Identifier

                    Download File
                    Process:C:\Users\user\Desktop\Amended Order #60-230958400.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):26
                    Entropy (8bit):3.95006375643621
                    Encrypted:false
                    SSDEEP:3:ggPYV:rPYV
                    MD5:187F488E27DB4AF347237FE461A079AD
                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                    Malicious:false
                    Preview:[ZoneTransfer]....ZoneId=0

                    Static File Info

                    General

                    File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                    Entropy (8bit):7.96714897107417
                    TrID:
                    • Win64 Executable GUI Net Framework (217006/5) 49.88%
                    • Win64 Executable GUI (202006/5) 46.43%
                    • Win64 Executable (generic) (12005/4) 2.76%
                    • Generic Win/DOS Executable (2004/3) 0.46%
                    • DOS Executable Generic (2002/1) 0.46%
                    File name:Amended Order #60-230958400.exe
                    File size:692'736 bytes
                    MD5:4a345cee9677362bb87d2840ecd2991b
                    SHA1:8f3b6f82059eb1b39e31ac1c8099d0f09c884c2a
                    SHA256:f5bee238d5326bb4e83d23c618286e6c8163b7d796c7245ad27ad95eeb9a1ca5
                    SHA512:1349869502d7acff5bd6cd12e309a2dbfa2386b87463b14dd75f0ab8baf293a6e4fac01a11afd85177cbf10835b668eb0f73cb40dc272a782d7264953fa9554b
                    SSDEEP:12288:4X8zViLZJsOnfWytRbYGV8DFnW2/wVJE8700kolAjp3B+nBPObIPCDKf:FzViDLfWytRbYMGnz/t870QAlBg2bh4
                    TLSH:ACE4121A3271CB43C8BB43F5892A595407B34E5E2072DE4D0D8774EE4ABAF454E22BDB
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Sf.........."...0..t............... .....@..... ....................................@...@......@............... .....

                    File Icon

                    Icon Hash:040917344b4fd9cd

                    Static PE Info

                    General

                    Entrypoint:0x140000000
                    Entrypoint Section:
                    Digitally signed:false
                    Imagebase:0x140000000
                    Subsystem:windows gui
                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Time Stamp:0x6653D6F0 [Mon May 27 00:42:24 2024 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:4
                    OS Version Minor:0
                    File Version Major:4
                    File Version Minor:0
                    Subsystem Version Major:4
                    Subsystem Version Minor:0
                    Import Hash:

                    Entrypoint Preview

                    Instruction
                    dec ebp
                    pop edx
                    nop
                    add byte ptr [ebx], al
                    add byte ptr [eax], al
                    add byte ptr [eax+eax], al
                    add byte ptr [eax], al

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xaa0000x1a7c.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x20000xa72e40xa740089684982a06db12e8b049e6fd9f2fca9False0.96839966367713data7.972040894142059IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    .rsrc0xaa0000x1a7c0x1c001246954669855eb608539f33ceaa0fc5False0.8138950892857143data7.198850658900272IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountryZLIB Complexity
                    RT_ICON0xaa1000x144dPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9694054262074273
                    RT_GROUP_ICON0xab5600x14data1.05
                    RT_VERSION0xab5840x2f8data0.45921052631578946
                    RT_MANIFEST0xab88c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                    Network Behavior

                    Network Port Distribution

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    May 27, 2024 08:59:31.102351904 CEST5352889162.159.36.2192.168.2.4
                    May 27, 2024 08:59:31.595966101 CEST6480853192.168.2.41.1.1.1
                    May 27, 2024 08:59:31.605178118 CEST53648081.1.1.1192.168.2.4

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                    May 27, 2024 08:59:31.595966101 CEST192.168.2.41.1.1.10x7603Standard query (0)56.126.166.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                    May 27, 2024 08:59:31.605178118 CEST1.1.1.1192.168.2.40x7603Name error (3)56.126.166.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:0
                    Start time:02:58:56
                    Start date:27/05/2024
                    Path:C:\Users\user\Desktop\Amended Order #60-230958400.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Users\user\Desktop\Amended Order #60-230958400.exe"
                    Imagebase:0x7ff7699e0000
                    File size:692'736 bytes
                    MD5 hash:4A345CEE9677362BB87D2840ECD2991B
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1677738266.0000000015992000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1677738266.0000000015992000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1677738266.0000000014007000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1677738266.0000000014007000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:2
                    Start time:02:58:58
                    Start date:27/05/2024
                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Amended Order #60-230958400.exe"
                    Imagebase:0x7ff788560000
                    File size:452'608 bytes
                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:3
                    Start time:02:58:58
                    Start date:27/05/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff7699e0000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:4
                    Start time:02:58:58
                    Start date:27/05/2024
                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\BKTxiN.exe"
                    Imagebase:0x7ff788560000
                    File size:452'608 bytes
                    MD5 hash:04029E121A0CFA5991749937DD22A1D9
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:5
                    Start time:02:58:58
                    Start date:27/05/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff7699e0000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:6
                    Start time:02:58:58
                    Start date:27/05/2024
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BKTxiN" /XML "C:\Users\user\AppData\Local\Temp\tmp61BF.tmp"
                    Imagebase:0x7ff76f990000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:7
                    Start time:02:58:58
                    Start date:27/05/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff7699e0000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:8
                    Start time:02:58:59
                    Start date:27/05/2024
                    Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
                    Imagebase:0x2cb4f3b0000
                    File size:45'472 bytes
                    MD5 hash:DC67ADE51149EC0C373A379473895BA1
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:moderate
                    Has exited:false

                    General

                    Target ID:11
                    Start time:02:58:59
                    Start date:27/05/2024
                    Path:C:\Windows\System32\WerFault.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\WerFault.exe -u -p 7572 -s 12
                    Imagebase:0x7ff6cf890000
                    File size:570'736 bytes
                    MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:12
                    Start time:02:58:59
                    Start date:27/05/2024
                    Path:C:\Users\user\AppData\Roaming\BKTxiN.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Users\user\AppData\Roaming\BKTxiN.exe
                    Imagebase:0xdc0000
                    File size:692'736 bytes
                    MD5 hash:4A345CEE9677362BB87D2840ECD2991B
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Antivirus matches:
                    • Detection: 26%, ReversingLabs
                    • Detection: 37%, Virustotal, Browse
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:13
                    Start time:02:59:01
                    Start date:27/05/2024
                    Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Imagebase:0x7ff693ab0000
                    File size:496'640 bytes
                    MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                    Has elevated privileges:true
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:14
                    Start time:02:59:02
                    Start date:27/05/2024
                    Path:C:\Windows\System32\schtasks.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BKTxiN" /XML "C:\Users\user\AppData\Local\Temp\tmp6FE8.tmp"
                    Imagebase:0x7ff76f990000
                    File size:235'008 bytes
                    MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:15
                    Start time:02:59:02
                    Start date:27/05/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff7699e0000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:16
                    Start time:02:59:02
                    Start date:27/05/2024
                    Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
                    Imagebase:0x20e371d0000
                    File size:45'472 bytes
                    MD5 hash:DC67ADE51149EC0C373A379473895BA1
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:moderate
                    Has exited:true

                    General

                    Target ID:18
                    Start time:02:59:02
                    Start date:27/05/2024
                    Path:C:\Windows\System32\WerFault.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\WerFault.exe -u -p 7956 -s 12
                    Imagebase:0x7ff6cf890000
                    File size:570'736 bytes
                    MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    Disassembly

                    Reset < >

                      Executed Functions

                      Function 00007FFD9BA19860 Relevance: 1.8, Strings: 1, Instructions: 548COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID: L
                      • API String ID: 0-2909332022
                      • Opcode ID: 2e10a2164cdc3d648775e8fb07995398f8c6d77a7356fbcb5da5c28f26c0de1e
                      • Instruction ID: 14c26d469e2b3c7cc81ff48980632acb7f569c785c8a858e27432d3a073758ac
                      • Opcode Fuzzy Hash: 2e10a2164cdc3d648775e8fb07995398f8c6d77a7356fbcb5da5c28f26c0de1e
                      • Instruction Fuzzy Hash: C602F07190E3C94FE3669B6488695A53FB0EF57310F1A01EFE4CAC71A3DA686906C352
                      Function 00007FFD9BA147F3 Relevance: 1.9, Strings: 1, Instructions: 630COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID: ~
                      • API String ID: 0-1707062198
                      • Opcode ID: 3f8986e161152a5099c8108150238ff34025df031aa886b834900418f5a4c068
                      • Instruction ID: 6a46b33029b8b01f0f9dfa4a28c2b1fbb34b02094660382dd19ab1571d9fac35
                      • Opcode Fuzzy Hash: 3f8986e161152a5099c8108150238ff34025df031aa886b834900418f5a4c068
                      • Instruction Fuzzy Hash: F2328334A1991E8FEBA4DB48C464BA873A1FF99310F5101BCD40DD76A5CE79AE82CF40
                      Function 00007FFD9BA184B3 Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID: 7
                      • API String ID: 0-1790921346
                      • Opcode ID: 7b2b71b7ac313fd7427891540ba3be1284d426f8f95a19090bfba78773243afa
                      • Instruction ID: d11565dc3d0d9aed7c6bf94f2d124e63c961ca0c6a5ec5f8e420253382c81608
                      • Opcode Fuzzy Hash: 7b2b71b7ac313fd7427891540ba3be1284d426f8f95a19090bfba78773243afa
                      • Instruction Fuzzy Hash: 2911A030B5951D4BD76CAB2888A55BD73E2EB99710B24A43ED49BC32E2DD68FA034640
                      Function 00007FFD9BA18528 Relevance: 1.3, Strings: 1, Instructions: 61COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID: ^
                      • API String ID: 0-1590793086
                      • Opcode ID: 0c58d092b521a3b8e3e422a0d1a3f21f843fa2d46f65c765c37e1043ad892275
                      • Instruction ID: d2236d695c4a1a3ee860a9caa54cee9fd12ef148d1c90c03a9a20c033cb155c3
                      • Opcode Fuzzy Hash: 0c58d092b521a3b8e3e422a0d1a3f21f843fa2d46f65c765c37e1043ad892275
                      • Instruction Fuzzy Hash: 9B11A330B5E65A4AE77CAB68C4A41BD73E1FB44711F21643EE4DBC21E1EE78FA424600
                      Function 00007FFD9BA18499 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID: 7
                      • API String ID: 0-1790921346
                      • Opcode ID: 424cdd53031e065d3c39b8ccb5adb710e39e8919ab0c286bc5995b678c63fcfc
                      • Instruction ID: d5c4491d30045e159a820b31e889450478b69cf88cdeb1e9e6ab511577ba5526
                      • Opcode Fuzzy Hash: 424cdd53031e065d3c39b8ccb5adb710e39e8919ab0c286bc5995b678c63fcfc
                      • Instruction Fuzzy Hash: 1C012630B5D1094AE77CAB24C4A04BD73E1FB45310F21643ED097C21E2DE78EA424640
                      Function 00007FFD9BA1353E Relevance: 1.3, Strings: 1, Instructions: 33COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID: o+
                      • API String ID: 0-251698391
                      • Opcode ID: 993b92077960d2a97d6c05b957c77e0ecc3a532fbb5e4dc410d3fc998754e17e
                      • Instruction ID: 1ad171044397755a6652ae7f2dbc270589dd1560f22a351f3c491769531323f5
                      • Opcode Fuzzy Hash: 993b92077960d2a97d6c05b957c77e0ecc3a532fbb5e4dc410d3fc998754e17e
                      • Instruction Fuzzy Hash: E4F0EC30A0E95C9FDF95DF58D4A4BA877B1FF59714F1501EAD00E972A2CA746E84CB00
                      Function 00007FFD9BA13630 Relevance: .6, Instructions: 618COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7f8d0e4cf8f8338c1ae52ac43ac8e786dc1da1bb889918ee0fb1affb163cd94e
                      • Instruction ID: c07b98bf2d706936f81dc6af509abd32c40bc2b86471c7662d4eb0a080b3c82f
                      • Opcode Fuzzy Hash: 7f8d0e4cf8f8338c1ae52ac43ac8e786dc1da1bb889918ee0fb1affb163cd94e
                      • Instruction Fuzzy Hash: CE328B70A0995D9FDFA8EF58C8A5BA8B7B1FB68301F1501E9D00DE3291CA75AD81CF41
                      Function 00007FFD9BA17749 Relevance: .6, Instructions: 554COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 17d9d6cd866dd576aa496731a7684dd5777ef945fade4258dcebc8842bf3b338
                      • Instruction ID: 027aafa9bed6f90c667da00d26bc1aeb9f387b078a2ab8815da6ed6e005329c8
                      • Opcode Fuzzy Hash: 17d9d6cd866dd576aa496731a7684dd5777ef945fade4258dcebc8842bf3b338
                      • Instruction Fuzzy Hash: B31209B190E38A4FE766D76488216643FB0EF56300F1965FBC089CB1B3EA6C5D49C751
                      Function 00007FFD9BA135D5 Relevance: .4, Instructions: 445COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f9b67cc4411194bc9602b12e12292498b9d50e6a6b25378d95b9f9de349a0d78
                      • Instruction ID: 03d26c847dedc016e617c1af364c419adb24f3fa744a835a90289df6fb444220
                      • Opcode Fuzzy Hash: f9b67cc4411194bc9602b12e12292498b9d50e6a6b25378d95b9f9de349a0d78
                      • Instruction Fuzzy Hash: 19F18A71A0995D9FDFA9EF58C8A5BA8B7B1FB68300F1501EAD00DD3291CE756D808F41
                      Function 00007FFD9BA11535 Relevance: .4, Instructions: 421COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7d79340172824e08d8d45a37d12b6ddb71f9450fc54c4dc977ab0a8509bbf86a
                      • Instruction ID: efd4cc5c0499dd1a0d688c48e823b1b2ea27854ff462531bee12af20cacaabae
                      • Opcode Fuzzy Hash: 7d79340172824e08d8d45a37d12b6ddb71f9450fc54c4dc977ab0a8509bbf86a
                      • Instruction Fuzzy Hash: 46F1B734A0895D8FDB98EF58C8A5BA9B3F2FF68301F5101E9D41DD7296CA75AD81CB00
                      Function 00007FFD9BA14EA1 Relevance: .3, Instructions: 320COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: fd74d73b422412a93872d539b52c578cc0849c7ad754f8d26d160d17a2034b1b
                      • Instruction ID: 8cd39ee46ce70c39a6321bc387c7abc3815fcf9f6f072fc9f2285c2d8f594f27
                      • Opcode Fuzzy Hash: fd74d73b422412a93872d539b52c578cc0849c7ad754f8d26d160d17a2034b1b
                      • Instruction Fuzzy Hash: C6A1CC31E0DA4D8FDBE1EB98D860AE97BB4FF95310F1101BAD00DD72A1DA759A85CB40
                      Function 00007FFD9BA166F3 Relevance: .3, Instructions: 308COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d7a06b06e546c0df961abb347794ac1370f8d21e1fdd462e3b4f11aa6efc46fb
                      • Instruction ID: fc091012a348aea04ac7e8e33618058d45a0d6ff84102b5081b76b7fc5f4fb2e
                      • Opcode Fuzzy Hash: d7a06b06e546c0df961abb347794ac1370f8d21e1fdd462e3b4f11aa6efc46fb
                      • Instruction Fuzzy Hash: 3FC1F971E0461D8FDF98EF48C495AADB7B2FFA8300F1481AAD05DE7255DA74A981CF40
                      Function 00007FFD9BA1AFCA Relevance: .3, Instructions: 285COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: cfaf9b03e73d3afab955c40711c78bc3cfdf61e1a84734de9c630da15f9e9942
                      • Instruction ID: de751a0010922f7d742faa858deb8d7e623b114ee0495903afd2f6bacb4ff223
                      • Opcode Fuzzy Hash: cfaf9b03e73d3afab955c40711c78bc3cfdf61e1a84734de9c630da15f9e9942
                      • Instruction Fuzzy Hash: 13A14B70A15A1DCFDBA9DF48C8A1BE8B7B1FB69304F5001ADC44AD7691CA756E82CF40
                      Function 00007FFD9BA1D160 Relevance: .3, Instructions: 285COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a29b566829543e14496895ad70de1adddb5ab53088e4b6663021228b2675ece3
                      • Instruction ID: 4ea2a9bc70531be6f1bd55fb1cd8121c8663092d2f605ab9b3bc317f06a0c8f7
                      • Opcode Fuzzy Hash: a29b566829543e14496895ad70de1adddb5ab53088e4b6663021228b2675ece3
                      • Instruction Fuzzy Hash: 9BA1B23095F68D8FDB61EF68C8656ED7BB0FF15300F4500BAE848C71A2DA78A644C741
                      Function 00007FFD9BA1CA70 Relevance: .3, Instructions: 261COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4bee275a145cddb585d769ce22eb2fa5b38507b2b2963800fdcbaeb9c5741e2f
                      • Instruction ID: dd5d635c18e626d6abe08fc710daf160903735a528c9b895aed8ea883c4425ad
                      • Opcode Fuzzy Hash: 4bee275a145cddb585d769ce22eb2fa5b38507b2b2963800fdcbaeb9c5741e2f
                      • Instruction Fuzzy Hash: E691D63194D68D8FEB52EF6888656E97FB0FF15300F0501BBD449C71A2DA78AA94C781
                      Function 00007FFD9BA17D37 Relevance: .2, Instructions: 232COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1d4a9919d36e7f460fd4f62f9eb7d8b74686da1186c18fe429a73241a788617d
                      • Instruction ID: b81094dc20c2ff206756d216c56ecac08ea7d834563b0e7aab2de2aa3a92d5ac
                      • Opcode Fuzzy Hash: 1d4a9919d36e7f460fd4f62f9eb7d8b74686da1186c18fe429a73241a788617d
                      • Instruction Fuzzy Hash: B4716931A0E2894FD366DB64CC65A653BE1FF92310F1A52FAD089C71E7DA6CAD05C342
                      Function 00007FFD9BA14F9D Relevance: .2, Instructions: 230COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 67b71e9c65bc60f40a622bd6e1ed3de823dcd147b62d3b1c83b3b2a258ab7108
                      • Instruction ID: 554d1ff41ea0c7ee07e3d7a85e13a6bd821dbee8a8a6d5416f1c86c0d799cf29
                      • Opcode Fuzzy Hash: 67b71e9c65bc60f40a622bd6e1ed3de823dcd147b62d3b1c83b3b2a258ab7108
                      • Instruction Fuzzy Hash: 59716E30E0E65E9FDBE5DBA88864BE87BB1FF59300F1541BAD04DD72A2CA745985CB00
                      Function 00007FFD9BA18134 Relevance: .2, Instructions: 208COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: aeb2de1b95ee265d411f83e58b7f7e876a53d4c8636b6fe6d4ecea0918b85a33
                      • Instruction ID: c4d677c0f37fe547a1015fa9a86f1054511469d315424063f3a00e91b042dcd6
                      • Opcode Fuzzy Hash: aeb2de1b95ee265d411f83e58b7f7e876a53d4c8636b6fe6d4ecea0918b85a33
                      • Instruction Fuzzy Hash: 41615530A0E3C94FD76ADB6488655653FB1EF53310B1A41EFC08ACB1F3D968A906C792
                      Function 00007FFD9BA181B3 Relevance: .2, Instructions: 193COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b63845626cafbab2773bc60d93fe08f48b86e85b66447c597192c902fd6645a2
                      • Instruction ID: 0d55c19b2b947c4437740eb1d5870a7f35d6fb254548256ed2535d706ee1bd31
                      • Opcode Fuzzy Hash: b63845626cafbab2773bc60d93fe08f48b86e85b66447c597192c902fd6645a2
                      • Instruction Fuzzy Hash: 3551383160E6854FD75ADF64C8659613FB1EF6332071A42EAC08ACB1F3D968EC46C792
                      Function 00007FFD9BA1A61C Relevance: .2, Instructions: 186COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0eccf876f61375d9322bfb6a022c28c49a5e823b450e5f4362f68bfed9ea469c
                      • Instruction ID: 5ad85a146cca315048f9c9aee2a92a87780bb6e84425ddc3719860cc74000a2a
                      • Opcode Fuzzy Hash: 0eccf876f61375d9322bfb6a022c28c49a5e823b450e5f4362f68bfed9ea469c
                      • Instruction Fuzzy Hash: BD518F34A1691E9FEB98DF48C490BE8B7B2FFA9300F2401B9D449D7655CA35AD82CB40
                      Function 00007FFD9BA1D165 Relevance: .2, Instructions: 182COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 253729570d6d5f05522d7b924b2c37a46fae3d34bb4b55634fd154b5d0db7517
                      • Instruction ID: e0d2e1dd8ece37820e8f4e3fd847ed2f935c803574c5bdd6de5d02b84dce65e2
                      • Opcode Fuzzy Hash: 253729570d6d5f05522d7b924b2c37a46fae3d34bb4b55634fd154b5d0db7517
                      • Instruction Fuzzy Hash: 72518431A4E28D8FDB56AF7488655ED7BB0FF01310F0541BBE458871E3DA78AA58CB41
                      Function 00007FFD9BA1330A Relevance: .2, Instructions: 180COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3cafdbab05734870fab4e7c7048181b2aaa07062b88101ff50c159aa35e3be3d
                      • Instruction ID: cbeeefe95e52cee49021fa9f2d4993f4b6e38a5da2b1705a89f93dc1148d637f
                      • Opcode Fuzzy Hash: 3cafdbab05734870fab4e7c7048181b2aaa07062b88101ff50c159aa35e3be3d
                      • Instruction Fuzzy Hash: E051BD22B0F2965BE717FB6CA8B58E53FD0EF02218B0D02F7E4994A0D3DD1A65498785
                      Function 00007FFD9BA11334 Relevance: .2, Instructions: 172COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 273a08ba730755ea9b580d72d332a41aa6a9ad9a7925509a63d1fdc57faf70fe
                      • Instruction ID: 573c0fc3644e32cc4d22403473a05f89cf937f927557d861a172d66f1cea471f
                      • Opcode Fuzzy Hash: 273a08ba730755ea9b580d72d332a41aa6a9ad9a7925509a63d1fdc57faf70fe
                      • Instruction Fuzzy Hash: 9C610970A0951E8FDB98EF58C494EEDB3F1FF68300F1045A9E05DE7296DA34AA81CB51
                      Function 00007FFD9BA1C055 Relevance: .2, Instructions: 170COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: bf14768928a8d445161b5e35aa063e0f36c6ae5dfee9491fe2ae5c39b37476d7
                      • Instruction ID: f48f07b686c55b863b507c01fc716f783b12d1c17f83a9c9484eee2a43553981
                      • Opcode Fuzzy Hash: bf14768928a8d445161b5e35aa063e0f36c6ae5dfee9491fe2ae5c39b37476d7
                      • Instruction Fuzzy Hash: 1D511A70E4D24E8FDB24CFD8D490AFDBBB5EF59300F11107AE409A7291CA78AA45DB50
                      Function 00007FFD9BA10718 Relevance: .2, Instructions: 163COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b4d499afc13112b71b777689a9aa1f55cf38c25c623cf453f10527c4554dd455
                      • Instruction ID: 36746ac1c6c46e3728c968f633562637e2c64cec4a6be1cf466461d7c9cd6a88
                      • Opcode Fuzzy Hash: b4d499afc13112b71b777689a9aa1f55cf38c25c623cf453f10527c4554dd455
                      • Instruction Fuzzy Hash: C9512C16F0E59757F35677B868B58E93BD0EF11328B0E02F7D4AE4A0D7EC1A644D8284
                      Function 00007FFD9BA1D120 Relevance: .2, Instructions: 158COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ffde565682c01260f381e805ea68f226af1bd6dd2dd1c32989898d62401e1f54
                      • Instruction ID: 2f26514fc392f6b2420e8cd7f442adcc314ffa976e1374864d20a776617958f6
                      • Opcode Fuzzy Hash: ffde565682c01260f381e805ea68f226af1bd6dd2dd1c32989898d62401e1f54
                      • Instruction Fuzzy Hash: D251963091EA8D8FDB91EF68D8656ED7BF0FF59300F0501B6E449D31A2CA78A944C751
                      Function 00007FFD9BA1CAAD Relevance: .2, Instructions: 154COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3283a53d9b08c06cce1e3f82793bcfb5345326210ce760f696bb76c0b36d80c9
                      • Instruction ID: afa3445ad0c8275b28bd2786d0f956c7dc4fe20363cdd1fb37f1469744010510
                      • Opcode Fuzzy Hash: 3283a53d9b08c06cce1e3f82793bcfb5345326210ce760f696bb76c0b36d80c9
                      • Instruction Fuzzy Hash: 5D51063190D78D8FDB55EF2888696E97FE0FF15300F0501BBE848C70A2DA38AA94C781
                      Function 00007FFD9BA1994B Relevance: .2, Instructions: 153COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f01e8526cb7e403746587323839d58f3168c55c8110e64c746d2038408096c75
                      • Instruction ID: 45522e2b6df8e620e16af1207cb231effb76850ded78923cc30c410462aa3000
                      • Opcode Fuzzy Hash: f01e8526cb7e403746587323839d58f3168c55c8110e64c746d2038408096c75
                      • Instruction Fuzzy Hash: DD410621A0E2C54FE36697748C691683FE1EF57314F1A42BBD489CB1F3E96C5A0AC352
                      Function 00007FFD9BA198FB Relevance: .1, Instructions: 148COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6eec2911d6b264f382936808155f3bcc48cf7ae247f724634d27d42a9545de91
                      • Instruction ID: f6631d4421ec08fff2f5f82605481e86e5f3e2c3c981f53c665594536c873d59
                      • Opcode Fuzzy Hash: 6eec2911d6b264f382936808155f3bcc48cf7ae247f724634d27d42a9545de91
                      • Instruction Fuzzy Hash: 1641F221A0E2C54FE3669B7488681A93FE1AF53314F1A02BFD489C71F3D9685A0AC352
                      Function 00007FFD9BA1FAFF Relevance: .1, Instructions: 136COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f118c6bfdb006af1a77f1cbeb25d388dcff98b154d81f626e83765a0712ace4b
                      • Instruction ID: ca0a304c5906e54b7623379896b1389b46ac689e67b3c4ad63b1fdd80c29a036
                      • Opcode Fuzzy Hash: f118c6bfdb006af1a77f1cbeb25d388dcff98b154d81f626e83765a0712ace4b
                      • Instruction Fuzzy Hash: 67413271A1DA4E8FDFA4EF5488A0AF9B7A1FF64300F5051B9C44ED32A6DE356940CB40
                      Function 00007FFD9BA1D195 Relevance: .1, Instructions: 131COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5a251f41eab70947a4ff528348d1d0bc6d72ea6d1ff090c842c8c2ba035ec04d
                      • Instruction ID: 0c415b11b0af22a91016a36be0c92b233b00a83694d5c07489a85ea548d4a261
                      • Opcode Fuzzy Hash: 5a251f41eab70947a4ff528348d1d0bc6d72ea6d1ff090c842c8c2ba035ec04d
                      • Instruction Fuzzy Hash: BB416F3094E38D8FDB56DF64C8615E97BB0FF45300F0500ABE898871A2DA78AA58CB81
                      Function 00007FFD9BA18285 Relevance: .1, Instructions: 127COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5ddee1fab3e60b91b06c33e17f2fe5fdec085f3e5064a0cff4690cd9b28c0ac4
                      • Instruction ID: 74dd9d7659adc4ccc807a9322f2aec4c38b569d8e4aa7667731c08ade0e9a2cd
                      • Opcode Fuzzy Hash: 5ddee1fab3e60b91b06c33e17f2fe5fdec085f3e5064a0cff4690cd9b28c0ac4
                      • Instruction Fuzzy Hash: 3341C26190E7C54FD7639BB48C651A17FB4EF13220B1A41EFD4CACB1A3E9586C46C362
                      Function 00007FFD9BA19989 Relevance: .1, Instructions: 127COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 898f975d308114fd5cc92fd90242e26e5bfd76b392f7d2c992530b75301ae345
                      • Instruction ID: 204a9f81b4850410260b2f09099eec061d61411d286fd034e58db89ac0ecc520
                      • Opcode Fuzzy Hash: 898f975d308114fd5cc92fd90242e26e5bfd76b392f7d2c992530b75301ae345
                      • Instruction Fuzzy Hash: 8D41D321A0E3C54FE367577448691A83FA1AF57314F1A01EFD4C9C71E3D96C5A0AC352
                      Function 00007FFD9BA199A2 Relevance: .1, Instructions: 127COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 18754a60138f00866995e07298d6c804b4e2842ccbc3bf173aa59d944fab145f
                      • Instruction ID: d45db4ce2a49ccc2a557cc678b2ca8066b2a08d910e2b797831f6742e3bb2ece
                      • Opcode Fuzzy Hash: 18754a60138f00866995e07298d6c804b4e2842ccbc3bf173aa59d944fab145f
                      • Instruction Fuzzy Hash: 0C41D061A0E3C54FE367977488691653FE1AF57314F1A01EFE4C9CB1E3D9685A0AC322
                      Function 00007FFD9BA16460 Relevance: .1, Instructions: 127COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 277e08ed82a197a962cce0e1585e15ab40d40d8afc76b168d238b3d4fd6d65be
                      • Instruction ID: ce5bc1cd8b9438eec6ee792a5bcb4bfc668203d421e6ab3ad819ec2ca68249c0
                      • Opcode Fuzzy Hash: 277e08ed82a197a962cce0e1585e15ab40d40d8afc76b168d238b3d4fd6d65be
                      • Instruction Fuzzy Hash: 2551B074E1A21E8FDBA8CF98D5606FDBBB5BB48310F11103EE41AA7294DA746A40CB50
                      Function 00007FFD9BA182CF Relevance: .1, Instructions: 126COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 928a7997ed7f67466b42fcf6a94584861e6666ad7d7d9c72dbf812e8346da3cf
                      • Instruction ID: ffa03bd8312291b00634fc3f89372872d51355c616edf80cf57cf30408bae7c1
                      • Opcode Fuzzy Hash: 928a7997ed7f67466b42fcf6a94584861e6666ad7d7d9c72dbf812e8346da3cf
                      • Instruction Fuzzy Hash: B541C06190E3C94FD7639BB48C655A53FB4EF13220B1A01EBD489CB1E3E9986D46C362
                      Function 00007FFD9BA182AF Relevance: .1, Instructions: 125COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: be52d549d523571e5ccbfb6f30bb7aaf7f1ef86c09b6f7a9bb3a1d427a613493
                      • Instruction ID: 40109603ef027ffee1c83b536c8ac75e06b24700bd2c9380b5a2a8bd21b5cac4
                      • Opcode Fuzzy Hash: be52d549d523571e5ccbfb6f30bb7aaf7f1ef86c09b6f7a9bb3a1d427a613493
                      • Instruction Fuzzy Hash: 6241AD6190E3C54FD7679B748C661A23FB4EF53220B1A41EFD4CACB1A3E9586846C362
                      Function 00007FFD9BA19F1B Relevance: .1, Instructions: 121COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: caafc46bcc42eb1641bd09668c01a93a9e089dd4b4284c8164a5777bb87442ba
                      • Instruction ID: 8c779fa56ef07976ef57766ce03263f2169bed251ec4d970b3a3f403b1351f9c
                      • Opcode Fuzzy Hash: caafc46bcc42eb1641bd09668c01a93a9e089dd4b4284c8164a5777bb87442ba
                      • Instruction Fuzzy Hash: FD41D030A0E3CA4FE7A68B7488706A53FB1AF53300F1A41FBD099C71E7D9685949C752
                      Function 00007FFD9BA19F70 Relevance: .1, Instructions: 119COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: cb274f26933de4ed97aa49a2363a940ed9cfe523124967254883f28843e0bae9
                      • Instruction ID: 380dfbf3dbf2d59795acccc8c2df6f1059022a6fbc0bb54387263fb8c159c21f
                      • Opcode Fuzzy Hash: cb274f26933de4ed97aa49a2363a940ed9cfe523124967254883f28843e0bae9
                      • Instruction Fuzzy Hash: B641E130A0E3CA4FD7A79B7488605A83FB1AF57300F1A41EBD099C71E7DA685909C752
                      Function 00007FFD9BA19F99 Relevance: .1, Instructions: 117COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e6e8975cfc61dae32669cd0b9c2852ecbdaf350e6d08b03bf9a66c4cac0c882e
                      • Instruction ID: b873bbabc7e6d118dc05925122f56109d49a4e2d52bff0f09ba2b54573f75eef
                      • Opcode Fuzzy Hash: e6e8975cfc61dae32669cd0b9c2852ecbdaf350e6d08b03bf9a66c4cac0c882e
                      • Instruction Fuzzy Hash: 7A41C13090E7CA4FD7A69B74C8646A83FB1EF43300F1A41EBD09AC71E7D9A95909C752
                      Function 00007FFD9BA19F48 Relevance: .1, Instructions: 117COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 22ceb21900fca64fbbdbed24d52a9d139444bd18824410f1fe53fa734f3a56dd
                      • Instruction ID: c05fb557b670791fa8669786c34c285f12e7335c8767aa9c40195ada9c1a1ef2
                      • Opcode Fuzzy Hash: 22ceb21900fca64fbbdbed24d52a9d139444bd18824410f1fe53fa734f3a56dd
                      • Instruction Fuzzy Hash: 6841BF31A0E3CA4FD7679B7488606A97FB1AF53300F0A41EBD099C71E7DA685909C752
                      Function 00007FFD9BA16E35 Relevance: .1, Instructions: 110COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: dcd1a9073352ac043571514e9da5d9650578563a7bebfa812c6ab72be2041153
                      • Instruction ID: 3ef82274ae07654e2ddb45a45b3ef72123590150504b7d1b6da59b6ff97966c0
                      • Opcode Fuzzy Hash: dcd1a9073352ac043571514e9da5d9650578563a7bebfa812c6ab72be2041153
                      • Instruction Fuzzy Hash: 8D31F770A19A5D8FDFA4EF98C4A0AADBBB1FF58300F15117AD00EE7291DA75A940DB40
                      Function 00007FFD9BA18318 Relevance: .1, Instructions: 106COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3b251d065007178db47a01ee3bbed0ce27a78c8934dd1703bd2d64bb389e3084
                      • Instruction ID: 4275b76d9da47b392220929b2968ddf749598a5467b1769ebcad7ded7fcb912d
                      • Opcode Fuzzy Hash: 3b251d065007178db47a01ee3bbed0ce27a78c8934dd1703bd2d64bb389e3084
                      • Instruction Fuzzy Hash: C131AF7144E3C44FD7639BB48C655A17FB4EF63220B0A42DFD489CB1A3E9986C46C362
                      Function 00007FFD9BA1D19D Relevance: .1, Instructions: 105COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ffbee0a5785373c9ef344ff23fe2f9d782047e7f84ae93bdbf9ef4ce5b8e5208
                      • Instruction ID: 9e3ab9b509ffb028822c46496b56fe81edca243d475e1ba5f9f4a74a7241786f
                      • Opcode Fuzzy Hash: ffbee0a5785373c9ef344ff23fe2f9d782047e7f84ae93bdbf9ef4ce5b8e5208
                      • Instruction Fuzzy Hash: 95416F30D4E38D8FDB55EF64C8615E97BB0FF45300F0510ABE858C71A2DA78AA58CB81
                      Function 00007FFD9BA1645A Relevance: .1, Instructions: 102COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 351b5591a9e242aef0036f0673da5d0fafc9be909b8cc73cc703b6e79f9479a0
                      • Instruction ID: ae16ac229db438b4d58e48f2a3f561d6774fbab48ace6804e1f37906937f44d3
                      • Opcode Fuzzy Hash: 351b5591a9e242aef0036f0673da5d0fafc9be909b8cc73cc703b6e79f9479a0
                      • Instruction Fuzzy Hash: 1141A274E1A21E9FDBA8CF98D5606FDBBB1AF48310F11503EE41AA7390DB746A40CB54
                      Function 00007FFD9BA13300 Relevance: .1, Instructions: 102COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f8a0cea4e2ff0e8ed1a55c68d65dfff155937c51f3b14592a708fa9eb9ad4573
                      • Instruction ID: 9ef107cbb2b44b773d5bfd981fe6eeda866a307fd1b56b42d362576dbed5dfad
                      • Opcode Fuzzy Hash: f8a0cea4e2ff0e8ed1a55c68d65dfff155937c51f3b14592a708fa9eb9ad4573
                      • Instruction Fuzzy Hash: 3B31D470A19A1D8FDFA4EF9CC4A0AADBBB1FF58300F15112AD00EE7290DA75A940DB40
                      Function 00007FFD9BA19FBF Relevance: .1, Instructions: 101COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a97840f0cb10ed0758a4f6dd49c74bd9b16b3d9c220f92ef8cd4661e5eab6136
                      • Instruction ID: 7ac2f2d6be2e9d44cc76284c44d88e1b32d2ee08298946fda17b8b81e6ee7616
                      • Opcode Fuzzy Hash: a97840f0cb10ed0758a4f6dd49c74bd9b16b3d9c220f92ef8cd4661e5eab6136
                      • Instruction Fuzzy Hash: 6631C03090E3CA4FD7A78B7488706A43FB0AF13300F0A01EBD089CB1E3DA695949C762
                      Function 00007FFD9BA19665 Relevance: .1, Instructions: 99COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8536e518b4247076cfa6a76c67b17bac25bad573878e025d63529da3eb91376e
                      • Instruction ID: 2db9765804ba77527fb35889555b42aaff2a80f99aaa630716c4e5501dad4bb8
                      • Opcode Fuzzy Hash: 8536e518b4247076cfa6a76c67b17bac25bad573878e025d63529da3eb91376e
                      • Instruction Fuzzy Hash: 72218161B0E6490FE7A89F69886953537D1EF95350B15127FD49FC32E2DD68AC02C350
                      Function 00007FFD9BA276AC Relevance: .1, Instructions: 93COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8590c59a12f5aedee166a088e7ee8dd251236013acd019b1581db24cd538f520
                      • Instruction ID: 74f3f160f5b070e57f03f0c7f179df4089ce9a5e41be98c187505e5a993dd75e
                      • Opcode Fuzzy Hash: 8590c59a12f5aedee166a088e7ee8dd251236013acd019b1581db24cd538f520
                      • Instruction Fuzzy Hash: D731523094A68D8FDB91EF64C8556E97FF0FF15300F0541BAE858C71A2DA78AA94CB41
                      Function 00007FFD9BA1C220 Relevance: .1, Instructions: 74COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 713be7d4d9feeecf15756d067f540701aa6a1d1b3f1e80ac175e41936cecf73d
                      • Instruction ID: 3f38ccf516eb1b05189bde1cc7cda13cfe1ac47c2995354188cf5acbf0747bc2
                      • Opcode Fuzzy Hash: 713be7d4d9feeecf15756d067f540701aa6a1d1b3f1e80ac175e41936cecf73d
                      • Instruction Fuzzy Hash: 5921BE30B0964E8FEB54EF58C4A59BAB3E0FF18300F0146B6E41D871A6CA74E9408740
                      Function 00007FFD9BA1D1C0 Relevance: .1, Instructions: 74COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5900599b9ccf02bebe60f33720e81fb31f213ac8c7edb77d6b05ecf90dfa30e4
                      • Instruction ID: 579e1c309aaab6fbf59d697ba4e06d80d9a682a01377b78f5ba41f7c261b1c25
                      • Opcode Fuzzy Hash: 5900599b9ccf02bebe60f33720e81fb31f213ac8c7edb77d6b05ecf90dfa30e4
                      • Instruction Fuzzy Hash: C0216D30D4A64D8FEB95EF64C865AFD7BB0FF45300F0514BAE458C31A2DA78AA54CB81
                      Function 00007FFD9BA1EB85 Relevance: .1, Instructions: 70COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 71521feea97704360764801b189981f92e8895a0585899e1e168a61ed5fc45f4
                      • Instruction ID: 7d78ccf52cd5b64d6224cf35ca030e09bcbc501f73806ab812395f18ebed71df
                      • Opcode Fuzzy Hash: 71521feea97704360764801b189981f92e8895a0585899e1e168a61ed5fc45f4
                      • Instruction Fuzzy Hash: 8C11B73284F2CD8FE76257648D652E47F60FF42200F4A52E7D4D54A0E3EA6D6A58C742
                      Function 00007FFD9BA14D74 Relevance: .1, Instructions: 69COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6357f841e560efc3bb2f2557bf77f6c239ea3f847ea425f6cd8f9f446e86d63a
                      • Instruction ID: 7d3722cddd61378871428864a89a367a9282f912d2b6b65f55909fb3460b19b3
                      • Opcode Fuzzy Hash: 6357f841e560efc3bb2f2557bf77f6c239ea3f847ea425f6cd8f9f446e86d63a
                      • Instruction Fuzzy Hash: D121CA30A0991D8FDFA4DB58C8A4AA8B3B1FF59305F5111E9D00ED72A1CB75AE80CF40
                      Function 00007FFD9BA11219 Relevance: .1, Instructions: 67COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a8ffb151270b75f89eb3e9e19d0766d2c00127b9d05fc5d00915eadd67bdc0c3
                      • Instruction ID: d22df1d6e139985ad5c18bf1c9a5e3e3dd9777bbc45fac7a0316628e817f46cb
                      • Opcode Fuzzy Hash: a8ffb151270b75f89eb3e9e19d0766d2c00127b9d05fc5d00915eadd67bdc0c3
                      • Instruction Fuzzy Hash: 4E219372A0990D8FEBA4DB58C8547A977F1EFA9340F0401BBD04CE3191DF7529418B50
                      Function 00007FFD9BA1A058 Relevance: .0, Instructions: 50COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 228c59f1de2d42f8b0873080ede36d17119d2b1d8bb29bbb332f2a44c3735b80
                      • Instruction ID: c4d9eaf079674fff1d74a92d178cf08cc634bc0814ef7e7657129d1b3449516d
                      • Opcode Fuzzy Hash: 228c59f1de2d42f8b0873080ede36d17119d2b1d8bb29bbb332f2a44c3735b80
                      • Instruction Fuzzy Hash: C6019630A09A4D9EDBF8DF68C9607A976E1FB55300F01017BE41DD3294DE7559448781
                      Function 00007FFD9BA13FB1 Relevance: .0, Instructions: 50COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e39b3f6043b3164fcc0a9d2e99608b19cb3bc129404f54262d2160339bc26d14
                      • Instruction ID: 7e03e3716f58e69c5233d0c159bd54364916cda7dea1e9af1fdb650720e6a078
                      • Opcode Fuzzy Hash: e39b3f6043b3164fcc0a9d2e99608b19cb3bc129404f54262d2160339bc26d14
                      • Instruction Fuzzy Hash: 4B01A12148F2C96FE76347A05C225E53F789F03210F0A01EBE4898A4B3C9AD175AC362
                      Function 00007FFD9BA184FB Relevance: .0, Instructions: 50COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 02e95bed7ebe22bd376aa396704223f468c3a979eb075ea3e4d51405da4fd1e0
                      • Instruction ID: c716169ae5c6c9d1a68a584c287a727072276cc7358d71a4cd6cbc7d53fad3c8
                      • Opcode Fuzzy Hash: 02e95bed7ebe22bd376aa396704223f468c3a979eb075ea3e4d51405da4fd1e0
                      • Instruction Fuzzy Hash: 4301753075954A4BD77CAB58C4A55B833E6FB45311F24603ED497C61E2DE78EA434640
                      Function 00007FFD9BA1098D Relevance: .0, Instructions: 47COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ca1038ead0e0e902de938aff97217fa7edd1a2401a7c429ac2d33de9b077bb67
                      • Instruction ID: 8430217cbe4a8e8b90ade67bf0b0d067f24355eb345b827c9089e830e9d15bbc
                      • Opcode Fuzzy Hash: ca1038ead0e0e902de938aff97217fa7edd1a2401a7c429ac2d33de9b077bb67
                      • Instruction Fuzzy Hash: 33F0AF3094A68E8FE7A1EFA0CC646E677A0FF46200F0610B6E459C70A2DE78A655C711
                      Function 00007FFD9BA1845D Relevance: .0, Instructions: 45COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: bcb0dbb08a42a931c2575e578dbe96a8fe8cfb14b99166f33b604f163bf2598e
                      • Instruction ID: c0dace4dcdcf68113bad86a6f72057d81677cf8b97544531df0d0e8e49975272
                      • Opcode Fuzzy Hash: bcb0dbb08a42a931c2575e578dbe96a8fe8cfb14b99166f33b604f163bf2598e
                      • Instruction Fuzzy Hash: 1D01A230B695494AE778AF28C8A45F833D2FB45315F24513ED49BC21E2DE78EA424640
                      Function 00007FFD9BA111FD Relevance: .0, Instructions: 43COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: cec495a82be95917eea2915b20681943f9b95e1b1641b32845e671a7cb5c9c82
                      • Instruction ID: 43e58a0e919af21089c4934263de13596162c8d3cd5e788dace6207d04203715
                      • Opcode Fuzzy Hash: cec495a82be95917eea2915b20681943f9b95e1b1641b32845e671a7cb5c9c82
                      • Instruction Fuzzy Hash: 2B01B5A2E0E54D5EFBE5DB5888257A877B0FF65340F1401FBC08CE71A2EE2429418B41
                      Function 00007FFD9BA1BE8D Relevance: .0, Instructions: 42COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ae92d6c5723e1f5714dc26c9ab71934e8fe0d12e426005dcb946c46a12fa4217
                      • Instruction ID: a62c20dc15d0921ef92aa1d4908fbdad627bee8a1915bed537e69dd6fe756e9e
                      • Opcode Fuzzy Hash: ae92d6c5723e1f5714dc26c9ab71934e8fe0d12e426005dcb946c46a12fa4217
                      • Instruction Fuzzy Hash: 16013974A0892C8FCFA9DF58C895BA8B7B1FB69301F5041DAC04DE7251CB71AA85CF01
                      Function 00007FFD9BA15DC7 Relevance: .0, Instructions: 37COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3569457064951c988f9b7c2e0f1fdad0aa2dee6e02d721b57f5294e0ae7b7a62
                      • Instruction ID: 7f42b3e15e20a74c5426274b2ece24835f06b639c95c121ee2ab2a1a71a63bab
                      • Opcode Fuzzy Hash: 3569457064951c988f9b7c2e0f1fdad0aa2dee6e02d721b57f5294e0ae7b7a62
                      • Instruction Fuzzy Hash: 7A01FE70A0992C9FDFA8EF18C894FA9B7B1EB69301F5041DA804DE7251CA71AA85CF01
                      Function 00007FFD9BA1A1AA Relevance: .0, Instructions: 37COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e6364fa4c7c8d8be0996aacc52aae41300c365d61cce50c07466cf792668abd5
                      • Instruction ID: c6315d8f09b65919022fd50adf95fdcf8443ef21aa712153ae57820babbdc246
                      • Opcode Fuzzy Hash: e6364fa4c7c8d8be0996aacc52aae41300c365d61cce50c07466cf792668abd5
                      • Instruction Fuzzy Hash: 6001FE7091892C8FCFE9EB08C894BE9B7B1EB68301F1041E9900DE3660CA71AEC1CF40
                      Function 00007FFD9BA1BDA7 Relevance: .0, Instructions: 36COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4cfec57d53772b0812efbadd3073eee244b1762790425d210ffb56155d2d73e7
                      • Instruction ID: e4dc9c67277c47ad5befb73e18552350d2b71626c052bbc973b83089aec0430a
                      • Opcode Fuzzy Hash: 4cfec57d53772b0812efbadd3073eee244b1762790425d210ffb56155d2d73e7
                      • Instruction Fuzzy Hash: C801127095955D8FCB95EFA8C854FADBBB0FF15300F1400E9D00DD7195DA759945CB00
                      Function 00007FFD9BA1086D Relevance: .0, Instructions: 35COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 525adabb46436e71df3b6b4453fe3793391af785fbacbba961fdd23567f32d69
                      • Instruction ID: 5ab2c8be717d6da922d20d6aecd658e0f5ab983bf13e82c9f8c740ec62f07902
                      • Opcode Fuzzy Hash: 525adabb46436e71df3b6b4453fe3793391af785fbacbba961fdd23567f32d69
                      • Instruction Fuzzy Hash: 97F0E565A1F38E0AE3A6B77848791E93FA0DF56344F0718BAE495C60E7EC6A5544C201
                      Function 00007FFD9BA1D158 Relevance: .0, Instructions: 28COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 48fdea7c56624fc6830551427e5eeb2c0a23149ed6891165b8127db422e40e8c
                      • Instruction ID: b23cf80888b62228360b49d07ef5b43a84736c42d63297bf84795ff8c8186bc6
                      • Opcode Fuzzy Hash: 48fdea7c56624fc6830551427e5eeb2c0a23149ed6891165b8127db422e40e8c
                      • Instruction Fuzzy Hash: C8F06530A8B54ECFDB78FF98D4116FA36A4FF58304F110535E81D822A5CA79A354CB80
                      Function 00007FFD9BA1B70C Relevance: .0, Instructions: 22COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8fc4863bc387c31323c94889caf6f0c6c7d63e1dd50d0e4c9a1d1c6898e900c2
                      • Instruction ID: abcd23a43aa75cf71f2672b2a0d58483df15fa49e37bbba946ae1a493e1afdc8
                      • Opcode Fuzzy Hash: 8fc4863bc387c31323c94889caf6f0c6c7d63e1dd50d0e4c9a1d1c6898e900c2
                      • Instruction Fuzzy Hash: 23E08C71A0CA899FC3A4CF9CD0A0626B7D2EB88354F41453DF04EC3A61DAB1A8429740
                      Function 00007FFD9BA170A5 Relevance: .0, Instructions: 22COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3fe5c99d551257a14d53f0ac6242e26fb3fe1441431a0287c393f78537349de9
                      • Instruction ID: 0d4d99095cea273f7ef8fe2db25459376b0598b31d73b421e661a5545d51a3ff
                      • Opcode Fuzzy Hash: 3fe5c99d551257a14d53f0ac6242e26fb3fe1441431a0287c393f78537349de9
                      • Instruction Fuzzy Hash: 9DE04F3280E3C85FD7635B608C215A9BFB0AF43100F4A52D7E4888B0B3E75C6B18C352
                      Function 00007FFD9BA1EE48 Relevance: .0, Instructions: 18COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 04a5c5f64f28a25cdb26019ad68e265617b03c4f4fc4e0629134fe3a954ecc32
                      • Instruction ID: a0fbc5ab3ce75885d158d75d0e490b70b6b28c03a6c6a788cc79acace504d90e
                      • Opcode Fuzzy Hash: 04a5c5f64f28a25cdb26019ad68e265617b03c4f4fc4e0629134fe3a954ecc32
                      • Instruction Fuzzy Hash: 3CD01231F5944D8AE7B0DB58D8516FC7661EF84310F9110F2D14DD3195DDB92E918B40
                      Function 00007FFD9BA108CA Relevance: .0, Instructions: 16COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 898c8750e191073daefa6ce97b61a01632b2f98a5e20f35fd404580715c683dd
                      • Instruction ID: 9e2760bcdab90fe221cfbcd7f0e00f85abf4a887a3b8e406cb5101ea1b2695cb
                      • Opcode Fuzzy Hash: 898c8750e191073daefa6ce97b61a01632b2f98a5e20f35fd404580715c683dd
                      • Instruction Fuzzy Hash: F1D0C931E0940C9EDB94EF98E8515FCB7B5EF48210F0152B7E40DE3191DE312A918644
                      Function 00007FFD9BA112DA Relevance: .0, Instructions: 14COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f749b82b03f27bf6fb8d3d3b7b1bd5303bab80b55fb39cb2533ae7ba13e17992
                      • Instruction ID: 916edcd9872918b20c02f2ff3c080478b63ff418a86f0d529835a38c6f7f2b70
                      • Opcode Fuzzy Hash: f749b82b03f27bf6fb8d3d3b7b1bd5303bab80b55fb39cb2533ae7ba13e17992
                      • Instruction Fuzzy Hash: 86D05E7161898A8FDBD9DB18C4917E6B361FF29300F0442B7E80A97446CA206C01CB80
                      Function 00007FFD9BA17D98 Relevance: .0, Instructions: 13COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 72d12efb06eb0cff6d61ee02eba2fdb1afade250d364043d6e4ff7b1a5a3d8a3
                      • Instruction ID: c543a1cd07a4760ab04f6013dbce5c12617c436787df93834018494118ce1ca7
                      • Opcode Fuzzy Hash: 72d12efb06eb0cff6d61ee02eba2fdb1afade250d364043d6e4ff7b1a5a3d8a3
                      • Instruction Fuzzy Hash: 59C09B127CB51D0AD5D45A5C7C911A4B340D7451317C115B7D909C525AD85B494147C1
                      Function 00007FFD9BA155C4 Relevance: .0, Instructions: 11COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a98f832aea0622f5836717f34c964c3bd7ebb7ed5d694950725a54369edc9411
                      • Instruction ID: abc584e8182186cb4545fc6a9a1f3bcf6997be7f76bddc1fa7e7e00de9f7e4bd
                      • Opcode Fuzzy Hash: a98f832aea0622f5836717f34c964c3bd7ebb7ed5d694950725a54369edc9411
                      • Instruction Fuzzy Hash: 3FD09270E1A50E9EDBA4EFC588645BCBBB1EF54300F651039D019E22A0DEB82541CF00
                      Function 00007FFD9BA13577 Relevance: .0, Instructions: 9COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 604d64d13aaf38fe30b5f3eb7b563c9e6ab27d1bd29d423291c6863b25a324bf
                      • Instruction ID: 99d53e1ccbe7222102ca74be91171cf5006075793e9d3c4f5df9104d3c772f27
                      • Opcode Fuzzy Hash: 604d64d13aaf38fe30b5f3eb7b563c9e6ab27d1bd29d423291c6863b25a324bf
                      • Instruction Fuzzy Hash: 76C0C920E1961D6EDBB0AF54445037866A0AB15700F5110B5C04D92151CA7416808B01

                      Non-executed Functions

                      Function 00007FFD9BA1217A Relevance: .1, Instructions: 146COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 86a71641b6823fa51cdd9585adb4b73ca199c832a82133791fb57e8a4d26150f
                      • Instruction ID: f1275fc9d43a6b39a124819fa8927c10c8bfb6a7e02fe2b9a15a72cfbcf15eef
                      • Opcode Fuzzy Hash: 86a71641b6823fa51cdd9585adb4b73ca199c832a82133791fb57e8a4d26150f
                      • Instruction Fuzzy Hash: 29416167A0E7C64FF3A687B848360993FD0EF5313871B02B7C8A5CA0F3E96559068651
                      Function 00007FFD9BA12AFA Relevance: .1, Instructions: 138COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 20eaf000b072396a17863ed2214bb8668ddd379761af2ba60bba268869b411ba
                      • Instruction ID: d2ad9e0e20de98b2e55599149a466846672849f802773e4331588397193a6890
                      • Opcode Fuzzy Hash: 20eaf000b072396a17863ed2214bb8668ddd379761af2ba60bba268869b411ba
                      • Instruction Fuzzy Hash: 8041065BA0FBDA4EF2A25BBD1CA10D63B90DF9323D70A13BBC4A4870F3AD6555078250
                      Function 00007FFD9BA12C92 Relevance: .1, Instructions: 109COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 73b56e926d9a865b4ad666fec99279ac955902de4cdb9428a5d430c67023e720
                      • Instruction ID: 9a105666d96f8c64edc5fc731da2d58edffadd623c3d061be5b7df2a51fb077d
                      • Opcode Fuzzy Hash: 73b56e926d9a865b4ad666fec99279ac955902de4cdb9428a5d430c67023e720
                      • Instruction Fuzzy Hash: D731761670EBC64FF2A2437C8839099AFE0AF5313831E53F6C9E94B4F7DA5495069241
                      Function 00007FFD9BA10E1D Relevance: .1, Instructions: 106COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: db3218acb6df267bfab5d48f473798fc6a9a67ae83ee242faba6b0b03a66ea47
                      • Instruction ID: 4c9018c3aaeca406c8f949aa50600b08ef769a43d02915d80313896d00f456f5
                      • Opcode Fuzzy Hash: db3218acb6df267bfab5d48f473798fc6a9a67ae83ee242faba6b0b03a66ea47
                      • Instruction Fuzzy Hash: 54319557B4E9C68FF2A2867D4C760D67BE0FF6323470A13B2C8E8870E3AE5915078255
                      Function 00007FFD9BA129E8 Relevance: .1, Instructions: 95COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b6c47396aa4437522bcf9ab94ae682a64f418f598dfd506fcfacb3a45709df68
                      • Instruction ID: a649496cb7ca7cf012185b2ecadf982c6b06d6c6243100edc1453614ec84b02a
                      • Opcode Fuzzy Hash: b6c47396aa4437522bcf9ab94ae682a64f418f598dfd506fcfacb3a45709df68
                      • Instruction Fuzzy Hash: AA218147B0F7CA4BE2A647AD5CB10E67FA0EF9323870B13F3C4A4860E3AD5955078260
                      Function 00007FFD9BA12998 Relevance: .1, Instructions: 90COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7d8109939fe78623e350d939e1ce5a6422a8af0a233b3eec661f3c7ddff7f681
                      • Instruction ID: 2756ac1b9bacc9476a6bf9f77e417995be6c9b2fd8666e764e57f1cee99c0c19
                      • Opcode Fuzzy Hash: 7d8109939fe78623e350d939e1ce5a6422a8af0a233b3eec661f3c7ddff7f681
                      • Instruction Fuzzy Hash: E4216057B0F7CA4AF2B547AD5CB10EA7BA0DF9327870B13B3C5A4870E3AD6599078250
                      Function 00007FFD9BA129F8 Relevance: .1, Instructions: 88COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1690009621.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7ffd9ba10000_Amended Order #60-230958400.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a159f8d8afa22f1625b952d2aa8fdf7a503877149888196bf380642d9d114ea6
                      • Instruction ID: 4001205837b2973460749c111c29d27e933d91541b3666fd91b4104d72c558df
                      • Opcode Fuzzy Hash: a159f8d8afa22f1625b952d2aa8fdf7a503877149888196bf380642d9d114ea6
                      • Instruction Fuzzy Hash: D8217157B0FBCA4BF2B547AD5CB10E67BA0DF9327870B13B3C5A8860E36D65A5078250

                      Execution Graph

                      Execution Coverage:12.7%
                      Dynamic/Decrypted Code Coverage:100%
                      Signature Coverage:13%
                      Total number of Nodes:23
                      Total number of Limit Nodes:0

                      Executed Functions

                      Function 00007FFD9BA19860 Relevance: 1.8, Strings: 1, Instructions: 548COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 183 7ffd9ba19860-7ffd9ba19892 184 7ffd9ba198dd-7ffd9ba198e8 183->184 185 7ffd9ba19894-7ffd9ba19897 183->185 187 7ffd9ba198ee-7ffd9ba198f9 184->187 188 7ffd9ba199c9-7ffd9ba19a54 184->188 189 7ffd9ba198b1-7ffd9ba198cd 185->189 190 7ffd9ba19899-7ffd9ba198ad 185->190 187->185 195 7ffd9ba19a91-7ffd9ba19aae 188->195 189->188 193 7ffd9ba198d3-7ffd9ba198db 189->193 190->184 193->184 193->185 196 7ffd9ba19ab0-7ffd9ba19ab7 call 7ffd9ba171f8 195->196 198 7ffd9ba19abc-7ffd9ba19ace 196->198 199 7ffd9ba19ad0-7ffd9ba19add call 7ffd9ba17218 198->199 201 7ffd9ba19ae2-7ffd9ba19b00 199->201 204 7ffd9ba19b02-7ffd9ba19b0d 201->204 205 7ffd9ba19b38-7ffd9ba19bc6 201->205 206 7ffd9ba19a56-7ffd9ba19a5a 204->206 211 7ffd9ba19bc8-7ffd9ba19bcc 205->211 212 7ffd9ba19c1a-7ffd9ba19c2d 205->212 208 7ffd9ba19a75-7ffd9ba19a8f 206->208 209 7ffd9ba19a5c-7ffd9ba19a71 206->209 208->195 208->206 209->195 215 7ffd9ba19bce-7ffd9ba19bee 211->215 216 7ffd9ba19bf0-7ffd9ba19c09 211->216 213 7ffd9ba19c33-7ffd9ba19c43 212->213 214 7ffd9ba19e18-7ffd9ba19ebb 212->214 213->211 224 7ffd9ba19f00-7ffd9ba19f0e 214->224 215->212 216->214 222 7ffd9ba19c0f-7ffd9ba19c18 216->222 222->211 222->212 225 7ffd9ba19f14-7ffd9ba19f19 224->225 226 7ffd9ba19ff6-7ffd9ba1a097 224->226 227 7ffd9ba19ebd-7ffd9ba19ec0 225->227 234 7ffd9ba1a09e-7ffd9ba1a0a3 226->234 235 7ffd9ba1a099 226->235 229 7ffd9ba19ec2-7ffd9ba19ed6 227->229 230 7ffd9ba19eda-7ffd9ba19ef3 227->230 229->224 230->226 233 7ffd9ba19ef9-7ffd9ba19efe 230->233 233->224 233->227 236 7ffd9ba1a1f3-7ffd9ba1a201 234->236 237 7ffd9ba1a0a9-7ffd9ba1a0b1 234->237 235->234 240 7ffd9ba1a202-7ffd9ba1a20f 236->240 239 7ffd9ba1a0b3 237->239 241 7ffd9ba1a0be-7ffd9ba1a0ca 239->241 242 7ffd9ba1a212 240->242 241->240 242->242
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA13000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA13000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba13000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID: L
                      • API String ID: 0-2909332022
                      • Opcode ID: 4df964beb87305fc4e35859d02c1d61e399186e21d51c69c9a1a65f95094412b
                      • Instruction ID: b11d9f36c877eb651f0f7c5e2922a3890b294bb17237339691f057d0689bc566
                      • Opcode Fuzzy Hash: 4df964beb87305fc4e35859d02c1d61e399186e21d51c69c9a1a65f95094412b
                      • Instruction Fuzzy Hash: F002017190E3C94FE3669B7488695A53FB0EF47310F0A01EFE0CAC71A3DA686906C752
                      Function 00007FFD9BA28F92 Relevance: 1.7, APIs: 1, Instructions: 166nativeCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 271 7ffd9ba28f92-7ffd9ba28f9f 272 7ffd9ba28fa1-7ffd9ba28fa9 271->272 273 7ffd9ba28faa-7ffd9ba290b7 NtUnmapViewOfSection 271->273 272->273 277 7ffd9ba290bf-7ffd9ba290ff 273->277 278 7ffd9ba290b9 273->278 278->277
                      APIs
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA1F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA1F000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba1f000_BKTxiN.jbxd
                      Similarity
                      • API ID: SectionUnmapView
                      • String ID:
                      • API String ID: 498011366-0
                      • Opcode ID: 37255ad8fceca6cac2719efd6cdbd2c52fe6fdd03a565a61539100ea881b8df7
                      • Instruction ID: 5a12fca4dd1135c252e287f53664bf5daba55dee471a0faeae45053991d70d58
                      • Opcode Fuzzy Hash: 37255ad8fceca6cac2719efd6cdbd2c52fe6fdd03a565a61539100ea881b8df7
                      • Instruction Fuzzy Hash: 2A519C30A0868D8FDB55DFA8C845BEDBBF1FF66310F1442AAD049D7266C774A885CB41
                      Function 00007FFD9BA289E1 Relevance: 2.0, APIs: 1, Instructions: 488processCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA1F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA1F000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba1f000_BKTxiN.jbxd
                      Similarity
                      • API ID: CreateProcess
                      • String ID:
                      • API String ID: 963392458-0
                      • Opcode ID: ba6d0c0eadaedf5d3cad01336904e1adf52825277e699d5e0c6717b103b73f61
                      • Instruction ID: 8c533b73b95273eb9f5302f7f57d1b8ad9df68251b8f72390e03b41aafe20ad8
                      • Opcode Fuzzy Hash: ba6d0c0eadaedf5d3cad01336904e1adf52825277e699d5e0c6717b103b73f61
                      • Instruction Fuzzy Hash: AAF14C70A09A8D8FDBB8DF18C855BE937E1FB59311F10412EE84EC7691DBB49684CB41
                      Function 00007FFD9BA147F3 Relevance: 1.9, Strings: 1, Instructions: 630COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 46 7ffd9ba147f3-7ffd9ba14859 49 7ffd9ba1485b-7ffd9ba14867 46->49 50 7ffd9ba1486a 49->50 51 7ffd9ba14872-7ffd9ba14887 50->51 52 7ffd9ba1488e-7ffd9ba148ce 51->52 54 7ffd9ba1493f 52->54 55 7ffd9ba148d0-7ffd9ba148d2 52->55 58 7ffd9ba1498d-7ffd9ba149a5 54->58 59 7ffd9ba14941-7ffd9ba1494b 54->59 56 7ffd9ba1494e-7ffd9ba14950 55->56 57 7ffd9ba148d4 55->57 61 7ffd9ba149c1 56->61 62 7ffd9ba14952-7ffd9ba14954 56->62 57->49 60 7ffd9ba148d6 57->60 72 7ffd9ba14a17-7ffd9ba14a27 58->72 73 7ffd9ba149a7-7ffd9ba149ba 58->73 59->56 65 7ffd9ba148dd-7ffd9ba148e1 60->65 67 7ffd9ba14a0f-7ffd9ba14a13 61->67 68 7ffd9ba149c3-7ffd9ba149cd 61->68 63 7ffd9ba149d0-7ffd9ba149d2 62->63 64 7ffd9ba14956 62->64 74 7ffd9ba14a43 63->74 75 7ffd9ba149d4-7ffd9ba149d6 63->75 64->65 69 7ffd9ba14958 64->69 70 7ffd9ba1495d 65->70 71 7ffd9ba148e3 65->71 67->72 68->63 69->70 78 7ffd9ba1495f-7ffd9ba14963 70->78 79 7ffd9ba149d9-7ffd9ba149da 70->79 71->50 80 7ffd9ba148e5 71->80 81 7ffd9ba14a99-7ffd9ba14aa9 72->81 82 7ffd9ba14a29-7ffd9ba14a3c 72->82 73->61 83 7ffd9ba14a91-7ffd9ba14a95 74->83 84 7ffd9ba14a45-7ffd9ba14a4f 74->84 76 7ffd9ba14a52-7ffd9ba14a54 75->76 77 7ffd9ba149d8 75->77 90 7ffd9ba14ac5-7ffd9ba14ac7 76->90 91 7ffd9ba14a56-7ffd9ba14a5a 76->91 77->78 77->79 85 7ffd9ba149df 78->85 86 7ffd9ba14965 78->86 79->85 89 7ffd9ba148ec-7ffd9ba148ef 80->89 87 7ffd9ba14aaf-7ffd9ba14ac3 81->87 88 7ffd9ba14b8c-7ffd9ba14bb7 81->88 82->74 83->81 84->76 93 7ffd9ba149e1-7ffd9ba149e5 85->93 94 7ffd9ba14a5b-7ffd9ba14a5f 85->94 86->89 95 7ffd9ba14967 86->95 96 7ffd9ba14b68-7ffd9ba14b72 87->96 106 7ffd9ba14c28-7ffd9ba14c2b 88->106 107 7ffd9ba14bb9-7ffd9ba14bbb 88->107 89->54 97 7ffd9ba14ac8-7ffd9ba14adb 90->97 91->93 91->94 98 7ffd9ba14a61 93->98 99 7ffd9ba149e7 93->99 94->98 95->95 100 7ffd9ba1496e-7ffd9ba14971 95->100 101 7ffd9ba14b73-7ffd9ba14b86 96->101 103 7ffd9ba14add-7ffd9ba14ade 97->103 98->103 104 7ffd9ba14a63-7ffd9ba14a67 98->104 99->100 105 7ffd9ba149e9-7ffd9ba149ee 99->105 100->58 101->88 101->97 110 7ffd9ba14ae3-7ffd9ba14af3 103->110 104->110 111 7ffd9ba14a69 104->111 112 7ffd9ba149f0-7ffd9ba14a0e 105->112 108 7ffd9ba14c7d-7ffd9ba14ca8 106->108 109 7ffd9ba14c2d-7ffd9ba14c34 106->109 113 7ffd9ba14bbd 107->113 114 7ffd9ba14c37-7ffd9ba14c58 107->114 130 7ffd9ba14d19 108->130 131 7ffd9ba14caa-7ffd9ba14cac 108->131 117 7ffd9ba14c35 109->117 115 7ffd9ba14b64-7ffd9ba14b65 110->115 116 7ffd9ba14af5-7ffd9ba14af7 110->116 111->112 118 7ffd9ba14a6b 111->118 112->67 119 7ffd9ba14bbf 113->119 120 7ffd9ba14b44-7ffd9ba14b63 113->120 128 7ffd9ba14cc9-7ffd9ba14ccf 114->128 129 7ffd9ba14c5a-7ffd9ba14c5c 114->129 115->96 116->101 121 7ffd9ba14af9 116->121 117->114 122 7ffd9ba14a80-7ffd9ba14a83 118->122 125 7ffd9ba14be5-7ffd9ba14c25 119->125 120->115 121->122 126 7ffd9ba14afb 121->126 122->83 125->106 126->120 133 7ffd9ba14cd8-7ffd9ba14cda 128->133 129->133 135 7ffd9ba14c5e 129->135 134 7ffd9ba14d28 130->134 131->134 136 7ffd9ba14cae 131->136 138 7ffd9ba14d56-7ffd9ba14d58 133->138 139 7ffd9ba14cdc-7ffd9ba14cdd 133->139 142 7ffd9ba14d2e-7ffd9ba14d54 134->142 135->125 140 7ffd9ba14c60 135->140 136->117 137 7ffd9ba14cb0 136->137 137->128 143 7ffd9ba14dd4-7ffd9ba14deb 138->143 144 7ffd9ba14d59 138->144 141 7ffd9ba14ce6 139->141 140->108 141->130 142->138 154 7ffd9ba14ded-7ffd9ba14df1 143->154 155 7ffd9ba14e09-7ffd9ba14e18 143->155 145 7ffd9ba14dca-7ffd9ba14dce 144->145 146 7ffd9ba14d5a-7ffd9ba14d5f 144->146 145->143 146->141 152 7ffd9ba14d60-7ffd9ba14d61 146->152 152->152 153 7ffd9ba14d62 152->153 153->145 156 7ffd9ba14df3-7ffd9ba14e03 154->156 157 7ffd9ba14e1f-7ffd9ba14e27 155->157 158 7ffd9ba14e1a 155->158 156->155 159 7ffd9ba1436e-7ffd9ba1437f 156->159 158->157 160 7ffd9ba14381 159->160 161 7ffd9ba14386-7ffd9ba1441c 159->161 160->161 164 7ffd9ba14542-7ffd9ba14546 161->164 164->156 165 7ffd9ba1454c-7ffd9ba1455c 164->165 166 7ffd9ba14421-7ffd9ba14457 165->166 167 7ffd9ba14562-7ffd9ba145b6 165->167 170 7ffd9ba1446f-7ffd9ba14482 166->170 171 7ffd9ba14459-7ffd9ba14465 166->171 167->46 172 7ffd9ba14469-7ffd9ba1446a 170->172 174 7ffd9ba14484-7ffd9ba14485 170->174 171->172 172->167 176 7ffd9ba1450c-7ffd9ba1451c 174->176 177 7ffd9ba14522-7ffd9ba1453f 176->177 178 7ffd9ba1448a-7ffd9ba144a5 176->178 177->164 179 7ffd9ba144a7 178->179 180 7ffd9ba144ac-7ffd9ba144b9 178->180 179->180 181 7ffd9ba144bb-7ffd9ba144ea 180->181 182 7ffd9ba144ec-7ffd9ba14509 180->182 181->177 182->176
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA13000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA13000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba13000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID: ~
                      • API String ID: 0-1707062198
                      • Opcode ID: c06ece2620248e37a8261adbbd6e880676ec7710ff75ff5618db81ac8ff2ae75
                      • Instruction ID: 2c8044a89381b97f7a4ea5ca596d3841d30957790a2097e360c50ff38fd5d74f
                      • Opcode Fuzzy Hash: c06ece2620248e37a8261adbbd6e880676ec7710ff75ff5618db81ac8ff2ae75
                      • Instruction Fuzzy Hash: A2328334A1991E8FEBA4DB48C464BA877A1FF99310F1141BCD40DD76A5CE796E82CF40
                      Function 00007FFD9BA292C5 Relevance: 1.7, APIs: 1, Instructions: 221injectionCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 243 7ffd9ba292c5-7ffd9ba292d1 244 7ffd9ba292d3-7ffd9ba292db 243->244 245 7ffd9ba292dc-7ffd9ba29398 243->245 244->245 249 7ffd9ba293c0-7ffd9ba2945f WriteProcessMemory 245->249 250 7ffd9ba2939a-7ffd9ba293bd 245->250 251 7ffd9ba29461 249->251 252 7ffd9ba29467-7ffd9ba294bf 249->252 250->249 251->252
                      APIs
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA1F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA1F000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba1f000_BKTxiN.jbxd
                      Similarity
                      • API ID: MemoryProcessWrite
                      • String ID:
                      • API String ID: 3559483778-0
                      • Opcode ID: 462a716021f806c5bce5e8342322b2be82e456939d680c2900117adeefb13f84
                      • Instruction ID: 91c9219f8d5fe5e4a353152412660fbd9b25f494e035d9274db1f3d0c9909405
                      • Opcode Fuzzy Hash: 462a716021f806c5bce5e8342322b2be82e456939d680c2900117adeefb13f84
                      • Instruction Fuzzy Hash: 4B611470A08A5C8FDB98DF58C895BE9BBF1FB6A310F1041AED04DE3251CB75A985CB41
                      Function 00007FFD9BA23348 Relevance: 1.7, APIs: 1, Instructions: 215COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 254 7ffd9ba23348-7ffd9ba29398 259 7ffd9ba293c0-7ffd9ba2945f WriteProcessMemory 254->259 260 7ffd9ba2939a-7ffd9ba293bd 254->260 261 7ffd9ba29461 259->261 262 7ffd9ba29467-7ffd9ba294bf 259->262 260->259 261->262
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA1F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA1F000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba1f000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7bca7ce1058f198cdb45e0291a00e3a27ceb3893f35393809b1ee87e532b8f88
                      • Instruction ID: aaf303338e06324802da4bd0fb51a694f9fb6cf677fb416d44c4b28b5448627c
                      • Opcode Fuzzy Hash: 7bca7ce1058f198cdb45e0291a00e3a27ceb3893f35393809b1ee87e532b8f88
                      • Instruction Fuzzy Hash: 54611570A08A5C8FDB98DF58C899BE9BBF1FB69310F1041AE904DE3251DB75A985CB40
                      Function 00007FFD9BA29101 Relevance: 1.7, APIs: 1, Instructions: 200memoryCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 264 7ffd9ba29101-7ffd9ba29260 VirtualAllocEx 268 7ffd9ba29262 264->268 269 7ffd9ba29268-7ffd9ba292c0 264->269 268->269
                      APIs
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA1F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA1F000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba1f000_BKTxiN.jbxd
                      Similarity
                      • API ID: AllocVirtual
                      • String ID:
                      • API String ID: 4275171209-0
                      • Opcode ID: ffdccc57533887afa1ebe2d01d082face67af411eb622e81a35c35f21643d151
                      • Instruction ID: f0fe19071bd62a690c2909c91391d3ff277d4658d12a1b14ff7855bc297976db
                      • Opcode Fuzzy Hash: ffdccc57533887afa1ebe2d01d082face67af411eb622e81a35c35f21643d151
                      • Instruction Fuzzy Hash: 65512670908A5C8FDF98EF58C895BE9BBF1FB6A310F1051AAD04DE3251DB71A985CB40
                      Function 00007FFD9BA29581 Relevance: 1.7, APIs: 1, Instructions: 152threadinjectionCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 280 7ffd9ba29581-7ffd9ba29677 SetThreadContext 284 7ffd9ba2967f-7ffd9ba296c9 280->284 285 7ffd9ba29679 280->285 285->284
                      APIs
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA1F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA1F000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba1f000_BKTxiN.jbxd
                      Similarity
                      • API ID: ContextThread
                      • String ID:
                      • API String ID: 1591575202-0
                      • Opcode ID: cb9275a7a8c3c9ce8e1b7e1610b899fb14582d39fae7cf0391aac18c8fe6828f
                      • Instruction ID: 4dae69615c3579abc38645a883ae266b988e216f5c81fd6017aec104846c5a10
                      • Opcode Fuzzy Hash: cb9275a7a8c3c9ce8e1b7e1610b899fb14582d39fae7cf0391aac18c8fe6828f
                      • Instruction Fuzzy Hash: 3A415D70A08A5C8FDB94DF98D849BEDBBF1FB69310F10816AD009E7256D774A985CF40
                      Function 00007FFD9BA297D1 Relevance: 1.6, APIs: 1, Instructions: 138threadCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 287 7ffd9ba297d1-7ffd9ba298b3 ResumeThread 291 7ffd9ba298b5 287->291 292 7ffd9ba298bb-7ffd9ba298f9 287->292 291->292
                      APIs
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA1F000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA1F000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba1f000_BKTxiN.jbxd
                      Similarity
                      • API ID: ResumeThread
                      • String ID:
                      • API String ID: 947044025-0
                      • Opcode ID: fd4d966d2c6f43d0ed2615d565ccbc76702a04a80fe7afb0f1e2f83d5a3a4dc7
                      • Instruction ID: 7aad7467400a4216282a73ae6cc9af1c2151109c497c6c01add4391cb989fcb3
                      • Opcode Fuzzy Hash: fd4d966d2c6f43d0ed2615d565ccbc76702a04a80fe7afb0f1e2f83d5a3a4dc7
                      • Instruction Fuzzy Hash: 3741F970E0861C8FDB98DF98D499BEDBBF1FB69310F10416AD049E7251DA71A846CB40
                      Function 00007FFD9BA184B3 Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                      Download Yara Rule

                      Control-flow Graph

                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA13000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA13000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba13000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID: 7
                      • API String ID: 0-1790921346
                      • Opcode ID: 47e5a0bfff566989615105c6e2446a92f92e8bad38c1b9d957297c940946e489
                      • Instruction ID: d11565dc3d0d9aed7c6bf94f2d124e63c961ca0c6a5ec5f8e420253382c81608
                      • Opcode Fuzzy Hash: 47e5a0bfff566989615105c6e2446a92f92e8bad38c1b9d957297c940946e489
                      • Instruction Fuzzy Hash: 2911A030B5951D4BD76CAB2888A55BD73E2EB99710B24A43ED49BC32E2DD68FA034640
                      Function 00007FFD9BA18528 Relevance: 1.3, Strings: 1, Instructions: 61COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 331 7ffd9ba18528-7ffd9ba18537 332 7ffd9ba18556-7ffd9ba1855e 331->332 333 7ffd9ba18539-7ffd9ba1853f 331->333 334 7ffd9ba1841d 332->334 336 7ffd9ba18564-7ffd9ba1856c 332->336 333->334 335 7ffd9ba18545-7ffd9ba1854d 333->335 339 7ffd9ba18422-7ffd9ba1842d call 7ffd9ba15ad0 334->339 337 7ffd9ba1854f-7ffd9ba18551 335->337 336->337 338 7ffd9ba183ee-7ffd9ba183f1 337->338 340 7ffd9ba183f3-7ffd9ba18407 338->340 341 7ffd9ba1840b-7ffd9ba18413 338->341 344 7ffd9ba18432-7ffd9ba1844e call 7ffd9ba15ad0 339->344 346 7ffd9ba18409 340->346 341->334 343 7ffd9ba18415-7ffd9ba1841b 341->343 343->334 343->338 344->334 348 7ffd9ba18450-7ffd9ba1845b 344->348 346->346 348->338
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA13000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA13000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba13000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID: ^
                      • API String ID: 0-1590793086
                      • Opcode ID: bea052178b84d5ed822e9e163bd793725d73f58037e17ecb0bf85cda65dd1496
                      • Instruction ID: d2236d695c4a1a3ee860a9caa54cee9fd12ef148d1c90c03a9a20c033cb155c3
                      • Opcode Fuzzy Hash: bea052178b84d5ed822e9e163bd793725d73f58037e17ecb0bf85cda65dd1496
                      • Instruction Fuzzy Hash: 9B11A330B5E65A4AE77CAB68C4A41BD73E1FB44711F21643EE4DBC21E1EE78FA424600
                      Function 00007FFD9BA18499 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 349 7ffd9ba18499-7ffd9ba184a2 350 7ffd9ba1841d 349->350 351 7ffd9ba184a8-7ffd9ba184ae 349->351 355 7ffd9ba18422-7ffd9ba1842d call 7ffd9ba15ad0 350->355 352 7ffd9ba183ee-7ffd9ba183f1 351->352 353 7ffd9ba183f3-7ffd9ba18407 352->353 354 7ffd9ba1840b-7ffd9ba18413 352->354 358 7ffd9ba18409 353->358 354->350 356 7ffd9ba18415-7ffd9ba1841b 354->356 359 7ffd9ba18432-7ffd9ba1844e call 7ffd9ba15ad0 355->359 356->350 356->352 358->358 359->350 362 7ffd9ba18450-7ffd9ba1845b 359->362 362->352
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA13000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA13000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba13000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID: 7
                      • API String ID: 0-1790921346
                      • Opcode ID: 5c2d7672eb9621bdbe54b3191b5366a0ce0d1521216c6427caeca56a8b772dc8
                      • Instruction ID: d5c4491d30045e159a820b31e889450478b69cf88cdeb1e9e6ab511577ba5526
                      • Opcode Fuzzy Hash: 5c2d7672eb9621bdbe54b3191b5366a0ce0d1521216c6427caeca56a8b772dc8
                      • Instruction Fuzzy Hash: 1C012630B5D1094AE77CAB24C4A04BD73E1FB45310F21643ED097C21E2DE78EA424640
                      Function 00007FFD9BA1353E Relevance: 1.3, Strings: 1, Instructions: 33COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 363 7ffd9ba1353e-7ffd9ba13de2 367 7ffd9ba13deb 363->367
                      Strings
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA13000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA13000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba13000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID: o+
                      • API String ID: 0-251698391
                      • Opcode ID: 8144a3a9612a547b2ad65c1429bf75ad950bdf20f6de07c0d39e9f029ca81991
                      • Instruction ID: d0fd24be47269e8e2114a6505a26511ba14d77914ace7b684e294dd1de4f4489
                      • Opcode Fuzzy Hash: 8144a3a9612a547b2ad65c1429bf75ad950bdf20f6de07c0d39e9f029ca81991
                      • Instruction Fuzzy Hash: 95F0EC30A0E95C9FDF99DF58D4A4BA877B1FB55714F1501EAD00E972A2CA746E84CB00
                      Function 00007FFD9BA13630 Relevance: .6, Instructions: 625COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA13000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA13000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba13000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 31273249295e2b6501a9ce82d0b3087e975b8eaa00fed11d807916edb80f6853
                      • Instruction ID: f57d913294b01a81d0dc48bfe7196a15c2c19362346b4fd7a544f4bcf1a332fa
                      • Opcode Fuzzy Hash: 31273249295e2b6501a9ce82d0b3087e975b8eaa00fed11d807916edb80f6853
                      • Instruction Fuzzy Hash: 75329B70A0995D9FDFA8EF58C8A5BA8B7B1FB68301F1501E9D00DE3291CA756E81CF41
                      Function 00007FFD9BA17749 Relevance: .6, Instructions: 554COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA13000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA13000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba13000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f5aee48b97a6e1bd622ad64d7836afa40deec5b287351e9f70f206e7b3a4fe64
                      • Instruction ID: 50a4e75490a86222a835c8471d33998a3508e50f243bfa376d7583adc271bcad
                      • Opcode Fuzzy Hash: f5aee48b97a6e1bd622ad64d7836afa40deec5b287351e9f70f206e7b3a4fe64
                      • Instruction Fuzzy Hash: C312F9B190E28A4FE766D77488216643FB0EF56300F1A65FBC089CB1B3EA6C5D49C751
                      Function 00007FFD9BA135D5 Relevance: .5, Instructions: 452COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA13000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA13000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba13000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 72bafd560f43c748ad5b282301c624c992eab03677f8cc4480ad3c44d003daa4
                      • Instruction ID: 27a4f11db0af4d3c8b890928fb745934edf45844a32570d700fad7d30b617bc8
                      • Opcode Fuzzy Hash: 72bafd560f43c748ad5b282301c624c992eab03677f8cc4480ad3c44d003daa4
                      • Instruction Fuzzy Hash: 44029A70A0995D9FDFA9EF58C8A5BA8B7B1FB68301F1501EAD00DD3291CE756E808F41
                      Function 00007FFD9BA11535 Relevance: .4, Instructions: 421COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba10000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8ff6645378b0cc8d26111413d4b52521afc74e51b0894d1a875d8cacf48043f4
                      • Instruction ID: 9ce6c11fd237522062b7424cedffe81696cdcb59e6d6c36a37fc56706e7bb09f
                      • Opcode Fuzzy Hash: 8ff6645378b0cc8d26111413d4b52521afc74e51b0894d1a875d8cacf48043f4
                      • Instruction Fuzzy Hash: BCF1B634A0995D8FDB98EF58C8A5BA9B3F1FF68300F5101E9D41DD72A6CA75AD81CB00
                      Function 00007FFD9BA166F3 Relevance: .3, Instructions: 308COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA13000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA13000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba13000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: faffd8a3583f54ba793255f4a1d72b2f4d3f2d22878534ead8b8c71afd6d31f5
                      • Instruction ID: d409d5e808eb0664592e25d85196d89710356e49632f4930825f33768f74562f
                      • Opcode Fuzzy Hash: faffd8a3583f54ba793255f4a1d72b2f4d3f2d22878534ead8b8c71afd6d31f5
                      • Instruction Fuzzy Hash: B4C1F970E0461D8FDF98EF58C4A5AADB7B2FF98300F1481AAD05DE7255DA74A981CF40
                      Function 00007FFD9BA1AFCA Relevance: .3, Instructions: 268COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA13000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA13000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba13000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 22204bd905efb040f635cdbb072b7d1cccb4283c2b82f5d3b7ac4c6574815a89
                      • Instruction ID: d0966b57e1da95130345b80193b6d025862093b67fd2b792accbdd87b13d6088
                      • Opcode Fuzzy Hash: 22204bd905efb040f635cdbb072b7d1cccb4283c2b82f5d3b7ac4c6574815a89
                      • Instruction Fuzzy Hash: C8914E30A15A5DCFDB99DF48C8A1BE9B7B1FB59304F5001ADC44AD3691CA756E82CF40
                      Function 00007FFD9BA14F69 Relevance: .2, Instructions: 246COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA13000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA13000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba13000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a12dea69e477619ce2e332201577f998b2d7cf166b31c5682b6de1c284c98f9a
                      • Instruction ID: c784e918efc637aec459a56bdf427c29a045f20dcd5f4c50cc9947de7fd7c648
                      • Opcode Fuzzy Hash: a12dea69e477619ce2e332201577f998b2d7cf166b31c5682b6de1c284c98f9a
                      • Instruction Fuzzy Hash: A5817C30E0DA5D8FDBE5EB988860BE87BB5FF55300F1541BAD00DD72A2CA755A85CB40
                      Function 00007FFD9BA17D37 Relevance: .2, Instructions: 232COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA13000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA13000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba13000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 97f788d7c0e0c9aab766f0908e245133756c971f39ec6704dd495f8c146680f7
                      • Instruction ID: 670d14ea60d44d83a33f592eb5f56ce8a3e842d7c9a75b3bbd4fca18a3b8057d
                      • Opcode Fuzzy Hash: 97f788d7c0e0c9aab766f0908e245133756c971f39ec6704dd495f8c146680f7
                      • Instruction Fuzzy Hash: 9B718B31A0E2894FD365D724CC64A613BE2FF92300F1A52FAD089C71E7DA6CAD05C742
                      Function 00007FFD9BA14F9D Relevance: .2, Instructions: 230COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA13000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA13000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba13000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2c43b7229b02c0f92870134706d4eab3c17957b2b0bfb36194a25c1dd98a8c00
                      • Instruction ID: a6d3c13d0bb9dc40243ff4760632b3a5b10eb650c1e6fa4cd53bf0bd8c4cc6c0
                      • Opcode Fuzzy Hash: 2c43b7229b02c0f92870134706d4eab3c17957b2b0bfb36194a25c1dd98a8c00
                      • Instruction Fuzzy Hash: A9716E30E0E65E9FDBE5DBA88864BE87BB1FF59300F1541BAD04DD72A2CA745985CB00
                      Function 00007FFD9BA18134 Relevance: .2, Instructions: 208COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA13000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA13000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba13000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f3643d09bdfede778f3060899328d8f4d5946ed67008698148bc6c27ed5445b2
                      • Instruction ID: 649224573c10b077e3814a94b4722cc9ac96edd56b6a84c9aba05cda78760e7e
                      • Opcode Fuzzy Hash: f3643d09bdfede778f3060899328d8f4d5946ed67008698148bc6c27ed5445b2
                      • Instruction Fuzzy Hash: E3614630A0E3C94FD76ADB6488655653FB1EF53310B1A41EFC08ACB1E3D968AD06C792
                      Function 00007FFD9BA181B3 Relevance: .2, Instructions: 193COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA13000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA13000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba13000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1a82fcdd4a882c5fe3993c0744a649ec2c019a6a5ba5a235f1edb0b43c62b74a
                      • Instruction ID: 7cc0a6f317344d05a1ae41214d95850f789baa187fd0838d1940c7ea0c1d2458
                      • Opcode Fuzzy Hash: 1a82fcdd4a882c5fe3993c0744a649ec2c019a6a5ba5a235f1edb0b43c62b74a
                      • Instruction Fuzzy Hash: 75513731A0E6854FD75ADF64C8659613FB1EF6331071A42EAC08ACB1F3D968EC46C792
                      Function 00007FFD9BA1A61C Relevance: .2, Instructions: 185COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA13000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA13000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba13000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7619ae2035a62878a2ac7ce536a5a79f7b1ddd5a00c5d099bb0ab8ea5277c252
                      • Instruction ID: b4599874f0f12df3534128ee0917e737ba96a90ab6cec5640bc62be030d2e18a
                      • Opcode Fuzzy Hash: 7619ae2035a62878a2ac7ce536a5a79f7b1ddd5a00c5d099bb0ab8ea5277c252
                      • Instruction Fuzzy Hash: CD519034A1691E9FEB98DF48C4A0BE9B7B2FF69300F1401B9D449D3795CA34AD82CB40
                      Function 00007FFD9BA1330A Relevance: .2, Instructions: 180COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA13000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA13000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba13000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9dbe0d8bd86c23cfdb3aa7cd3cc157ea465d1abe927fee032e659b372f02544b
                      • Instruction ID: cbeeefe95e52cee49021fa9f2d4993f4b6e38a5da2b1705a89f93dc1148d637f
                      • Opcode Fuzzy Hash: 9dbe0d8bd86c23cfdb3aa7cd3cc157ea465d1abe927fee032e659b372f02544b
                      • Instruction Fuzzy Hash: E051BD22B0F2965BE717FB6CA8B58E53FD0EF02218B0D02F7E4994A0D3DD1A65498785
                      Function 00007FFD9BA11334 Relevance: .2, Instructions: 172COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba10000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 868ba1f4c700abde1265d766d5e325a16594a1637b637a61e9a684ed482b0daf
                      • Instruction ID: 31f49f2bd7c8c2a88fb1a01a16ab464dacf51481f52d162f34311bb64a2861af
                      • Opcode Fuzzy Hash: 868ba1f4c700abde1265d766d5e325a16594a1637b637a61e9a684ed482b0daf
                      • Instruction Fuzzy Hash: 7E610970A0951E8FDB98EF58C494EEDB3F1FF68300F1045A9E05DE7296DA34AA81CB51
                      Function 00007FFD9BA10718 Relevance: .2, Instructions: 163COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba10000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b4d499afc13112b71b777689a9aa1f55cf38c25c623cf453f10527c4554dd455
                      • Instruction ID: 36746ac1c6c46e3728c968f633562637e2c64cec4a6be1cf466461d7c9cd6a88
                      • Opcode Fuzzy Hash: b4d499afc13112b71b777689a9aa1f55cf38c25c623cf453f10527c4554dd455
                      • Instruction Fuzzy Hash: C9512C16F0E59757F35677B868B58E93BD0EF11328B0E02F7D4AE4A0D7EC1A644D8284
                      Function 00007FFD9BA1994B Relevance: .2, Instructions: 153COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA13000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA13000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba13000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0f91e01342ed96be46ef41e44267e235bd20280176687c6d4fbbc1ef22d93571
                      • Instruction ID: de2717a2abd3e1b18407dad7ea3bd7dda3ae843c46cfe5bbf49da7b8dfee85b1
                      • Opcode Fuzzy Hash: 0f91e01342ed96be46ef41e44267e235bd20280176687c6d4fbbc1ef22d93571
                      • Instruction Fuzzy Hash: BD41F521A0E2C54FE366977488691683FE1EF57314F1A42BBD489CB1F3E96C5A0AC352
                      Function 00007FFD9BA198FB Relevance: .1, Instructions: 148COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA13000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA13000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba13000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3ea4e0e72e554ea2453727821dfab493d49cf430228137965065de2ea1044277
                      • Instruction ID: 9b2f364d32fc70242d21f67ac144707b564333d801ea9177463797d00d5a717f
                      • Opcode Fuzzy Hash: 3ea4e0e72e554ea2453727821dfab493d49cf430228137965065de2ea1044277
                      • Instruction Fuzzy Hash: 2441F221A0E2C54FE3669B7488681A93FE1EF53314F1A02BFD489C71F3D9685A0AC352
                      Function 00007FFD9BA19989 Relevance: .1, Instructions: 127COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA13000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA13000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba13000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 480a868b1ef0eaf762184ec5300043867de00ce93d05901208153a4480bb08c9
                      • Instruction ID: af44a33248c50c170f4612ba5a77627cfc9e7c8628b09e5255ccc5bb8a70a0e2
                      • Opcode Fuzzy Hash: 480a868b1ef0eaf762184ec5300043867de00ce93d05901208153a4480bb08c9
                      • Instruction Fuzzy Hash: 1D41D321A0E3C54FE367577448691A83FA1AF57314F1A01EFD4C9C71E3D96C5A0AC352
                      Function 00007FFD9BA199A2 Relevance: .1, Instructions: 127COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA13000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA13000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba13000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b8699cfc8439fbdb565d7249c8493df91bbcaff7eed21c04144e5d1520087492
                      • Instruction ID: 073e2efd899967f1304e67f77993d7ef5b8464a313d73af794d0bc9ab69643c7
                      • Opcode Fuzzy Hash: b8699cfc8439fbdb565d7249c8493df91bbcaff7eed21c04144e5d1520087492
                      • Instruction Fuzzy Hash: 3B41D061A0E3C54FE367977488691653FE1AF57314F1A01EFE4C9CB1E3D9685A0AC322
                      Function 00007FFD9BA18285 Relevance: .1, Instructions: 127COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA13000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA13000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba13000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b9540bbdb32880587c381ec713541eb8453be1cfb17515e4df41b77d1997a2f1
                      • Instruction ID: 956ad4ae1f2763a740100dccd10593c004e40971f1d1a6964ff9329e7f4d0472
                      • Opcode Fuzzy Hash: b9540bbdb32880587c381ec713541eb8453be1cfb17515e4df41b77d1997a2f1
                      • Instruction Fuzzy Hash: C641B16190E7C54FD7639BB48C651A17FB4EF13220B1A41EBD4CACB1A3E9586C46C362
                      Function 00007FFD9BA16460 Relevance: .1, Instructions: 127COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA13000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA13000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba13000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4b4cc0b2a45e51babad08c18711e87a9bac6dad0757d4f20614653d6493990ef
                      • Instruction ID: ce5bc1cd8b9438eec6ee792a5bcb4bfc668203d421e6ab3ad819ec2ca68249c0
                      • Opcode Fuzzy Hash: 4b4cc0b2a45e51babad08c18711e87a9bac6dad0757d4f20614653d6493990ef
                      • Instruction Fuzzy Hash: 2551B074E1A21E8FDBA8CF98D5606FDBBB5BB48310F11103EE41AA7294DA746A40CB50
                      Function 00007FFD9BA182CF Relevance: .1, Instructions: 126COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA13000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA13000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba13000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 92eb7ef92e7b9542c8534eeb4565e4d4a6c8e0f9be97bc1b467c31496d74217c
                      • Instruction ID: 163a0804f8e63984084710d6b2ef6f8d75e6bec7af2de798a649d0b051cefbed
                      • Opcode Fuzzy Hash: 92eb7ef92e7b9542c8534eeb4565e4d4a6c8e0f9be97bc1b467c31496d74217c
                      • Instruction Fuzzy Hash: 8B41D06190E3C94FD7639BB48C655A53FB4EF13220B1A01EBD489CB1E3E9986C46C362
                      Function 00007FFD9BA182AF Relevance: .1, Instructions: 125COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA13000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA13000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba13000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c823ae211d8efbe3ba712423742a85c200208839155558ff1361389459fc969c
                      • Instruction ID: 4db636e19a3e1ce131263d5db805bfbc9faf26352c5130bb0104f74cad1c4011
                      • Opcode Fuzzy Hash: c823ae211d8efbe3ba712423742a85c200208839155558ff1361389459fc969c
                      • Instruction Fuzzy Hash: 1441CD6180E3C54FD3679B748C661A23FB4EF53220B1A41EFD4CACB1A3E9586C46C762
                      Function 00007FFD9BA19F1B Relevance: .1, Instructions: 121COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA13000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA13000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba13000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7e311f87da93f71ced0e5c9bb5f35deda87f72aa602b91886c62ea0745f77ed9
                      • Instruction ID: f4306cdb62b27310b2bcfdd0bd4531f661a24902b9f39dfaa252470b0309c3c4
                      • Opcode Fuzzy Hash: 7e311f87da93f71ced0e5c9bb5f35deda87f72aa602b91886c62ea0745f77ed9
                      • Instruction Fuzzy Hash: 8F41D030A0E3CA4FE7A68B7488706A53FB1AF53310F1A41FBD099C71E7D9685A49C752
                      Function 00007FFD9BA19F70 Relevance: .1, Instructions: 119COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA13000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA13000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba13000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: bff92d2a57fa8c1b4584f87655c8db7865e89c19e7502ac51f3cd511e5953b61
                      • Instruction ID: 2b1aee5e2f4f0645cef8c675487083ca061e53486f091833cd59749adfb5f76e
                      • Opcode Fuzzy Hash: bff92d2a57fa8c1b4584f87655c8db7865e89c19e7502ac51f3cd511e5953b61
                      • Instruction Fuzzy Hash: 1841E130A0E3CA4FD7A79B7488705A83FB1AF47300F1A41EBD099C71E7DA685A09C752
                      Function 00007FFD9BA19F99 Relevance: .1, Instructions: 117COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA13000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA13000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba13000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8bb48e5d8917e7dfba6407fad07931506f8cd075b5ac5be219d8a9d7ec865453
                      • Instruction ID: 303bc53b8d91bf667b1c24488667613cc87ce32b70ac03aca0d004ecb4476a35
                      • Opcode Fuzzy Hash: 8bb48e5d8917e7dfba6407fad07931506f8cd075b5ac5be219d8a9d7ec865453
                      • Instruction Fuzzy Hash: 2741E13090E3CA4FD7A68B7488706A83FB1EF43300F0A41EBD09AC71E7D9A85909C752
                      Function 00007FFD9BA19F48 Relevance: .1, Instructions: 117COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA13000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA13000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba13000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a9b3f3bfcb6df55d574cf1a56a1f2b43e64bfbfeff5e210d9bf03d8fce4fcb4a
                      • Instruction ID: 1e0f1133a8ae979e12d81acb8edc3dcbff7a8052b6a3477f612fe5576054739a
                      • Opcode Fuzzy Hash: a9b3f3bfcb6df55d574cf1a56a1f2b43e64bfbfeff5e210d9bf03d8fce4fcb4a
                      • Instruction Fuzzy Hash: E341B031A0E3CA4FD7679B7488706A97FB1AF43310F0A41EBD099C71E7DA685909C752
                      Function 00007FFD9BA16E35 Relevance: .1, Instructions: 110COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA13000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA13000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba13000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4fa702bea5c4d9d0b2fdc006a30f6d2ca63b088d559a84af71014b59b0291c13
                      • Instruction ID: 8018eeaf3c5b5f841c2a3cb936abb11da4cfb227f761364b64ac3ed5ab0556b0
                      • Opcode Fuzzy Hash: 4fa702bea5c4d9d0b2fdc006a30f6d2ca63b088d559a84af71014b59b0291c13
                      • Instruction Fuzzy Hash: 1331F570A19A5D8FDFA4EF98C4A0AADBBB1FF58300F15117AD00EE7291DA75A940DB40
                      Function 00007FFD9BA18318 Relevance: .1, Instructions: 106COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA13000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA13000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba13000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 21296b37c12bf79a74a8c58252611cce0ddeb7d92d21dc276bfd052973f0b0f7
                      • Instruction ID: 4f5bb5dfadd6520eb6f4c306a49c259ec83424f1d1b88e55304000acde68da22
                      • Opcode Fuzzy Hash: 21296b37c12bf79a74a8c58252611cce0ddeb7d92d21dc276bfd052973f0b0f7
                      • Instruction Fuzzy Hash: 4A31CF7144E3C44FD7239B748C655A13FB4EF63220B0A02DFD489CB1A3E9986C46C762
                      Function 00007FFD9BA1645A Relevance: .1, Instructions: 102COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA13000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA13000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba13000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: bf2533658dc74bb5ca1737f8116823f3dd7c984e2a3b7cb3797f8b752a735ecf
                      • Instruction ID: ae16ac229db438b4d58e48f2a3f561d6774fbab48ace6804e1f37906937f44d3
                      • Opcode Fuzzy Hash: bf2533658dc74bb5ca1737f8116823f3dd7c984e2a3b7cb3797f8b752a735ecf
                      • Instruction Fuzzy Hash: 1141A274E1A21E9FDBA8CF98D5606FDBBB1AF48310F11503EE41AA7390DB746A40CB54
                      Function 00007FFD9BA13300 Relevance: .1, Instructions: 102COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA13000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA13000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba13000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 601ed3a0aa8934503d2afbbd9dbbc2aa859004dbbbfbdc821456150f86579ae8
                      • Instruction ID: 400de62fbd1f1f234da42f45b0d4c27f5213af8b58a554091cf472e7faf151c6
                      • Opcode Fuzzy Hash: 601ed3a0aa8934503d2afbbd9dbbc2aa859004dbbbfbdc821456150f86579ae8
                      • Instruction Fuzzy Hash: F131D270A19A1D8FDFA4EF9CC4A0AADBBB1FB58700F15112AD00EE7290DA75A940DB40
                      Function 00007FFD9BA19FBF Relevance: .1, Instructions: 101COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA13000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA13000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba13000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9fa4560ba11ac652cec991376b5d0468ba9293cb562e5567afa4a2c992664f05
                      • Instruction ID: 0694d61de9795de98a0175abebf232377dccc7bc2d001fcea02040883edcddd8
                      • Opcode Fuzzy Hash: 9fa4560ba11ac652cec991376b5d0468ba9293cb562e5567afa4a2c992664f05
                      • Instruction Fuzzy Hash: 4731A03090E3CA4FD7A79B7488756A57FB0AF13300F0A01EBD099CB1E7DA695949C762
                      Function 00007FFD9BA19665 Relevance: .1, Instructions: 99COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA13000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA13000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba13000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: bcddbbe120997e1a5fa4bd1ab3d187f7d786fdf83854838812796f20602153f9
                      • Instruction ID: 727af797e3824ec738c94cf4252ce727fa13407596273fb5c22e2a4347ccd836
                      • Opcode Fuzzy Hash: bcddbbe120997e1a5fa4bd1ab3d187f7d786fdf83854838812796f20602153f9
                      • Instruction Fuzzy Hash: CE21BE21B0E6490FE3A89FA888B953537D1EF95350B15127FE49FC32E2DD68AC02C350
                      Function 00007FFD9BA14D74 Relevance: .1, Instructions: 69COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA13000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA13000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba13000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b41ffef12a63adb27bc14f6739a2c87ed396f71cc76b78735b041badc8e90730
                      • Instruction ID: 934c4a758ed0c1d199d836cfba10c8d7f35c033011e0f5d333fdd9919636c794
                      • Opcode Fuzzy Hash: b41ffef12a63adb27bc14f6739a2c87ed396f71cc76b78735b041badc8e90730
                      • Instruction Fuzzy Hash: C221AC34A0991D8FDFA9DB58C8A5AA8B3B1FF59305F5111E9D00ED72A1CE75AE80CF40
                      Function 00007FFD9BA11219 Relevance: .1, Instructions: 67COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba10000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 30b09a275bbd088601fdda9c28647c3e129d284ac390818b0539a0f47b30e9ef
                      • Instruction ID: d22df1d6e139985ad5c18bf1c9a5e3e3dd9777bbc45fac7a0316628e817f46cb
                      • Opcode Fuzzy Hash: 30b09a275bbd088601fdda9c28647c3e129d284ac390818b0539a0f47b30e9ef
                      • Instruction Fuzzy Hash: 4E219372A0990D8FEBA4DB58C8547A977F1EFA9340F0401BBD04CE3191DF7529418B50
                      Function 00007FFD9BA1A058 Relevance: .0, Instructions: 50COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA13000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA13000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba13000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1c3246a523cfe9c108d3786cb5dc51f7c9caf9f58df6da586eb9b9e1ef7d7a80
                      • Instruction ID: 3463e9bb640596ba7047d494061da87cb861ce08c079195391cdf08fe0b28481
                      • Opcode Fuzzy Hash: 1c3246a523cfe9c108d3786cb5dc51f7c9caf9f58df6da586eb9b9e1ef7d7a80
                      • Instruction Fuzzy Hash: C8019630A09A4D9EDBF8DF68C9607A976E1FB55300F01017AE41DD3294DE755A448B81
                      Function 00007FFD9BA13FB1 Relevance: .0, Instructions: 50COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA13000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA13000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba13000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9cfd6e2de302e6c4e3bda1cadd92f1443966367693497fba0fede2bafd7951e0
                      • Instruction ID: 7e03e3716f58e69c5233d0c159bd54364916cda7dea1e9af1fdb650720e6a078
                      • Opcode Fuzzy Hash: 9cfd6e2de302e6c4e3bda1cadd92f1443966367693497fba0fede2bafd7951e0
                      • Instruction Fuzzy Hash: 4B01A12148F2C96FE76347A05C225E53F789F03210F0A01EBE4898A4B3C9AD175AC362
                      Function 00007FFD9BA184FB Relevance: .0, Instructions: 50COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA13000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA13000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba13000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 27d36b6f818574b4eeb761110688f500031bd87fb581cbb6b4533bd6596afd37
                      • Instruction ID: c716169ae5c6c9d1a68a584c287a727072276cc7358d71a4cd6cbc7d53fad3c8
                      • Opcode Fuzzy Hash: 27d36b6f818574b4eeb761110688f500031bd87fb581cbb6b4533bd6596afd37
                      • Instruction Fuzzy Hash: 4301753075954A4BD77CAB58C4A55B833E6FB45311F24603ED497C61E2DE78EA434640
                      Function 00007FFD9BA1098D Relevance: .0, Instructions: 47COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba10000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: fbbc9a41c3a039393734afaf6af671ee637d8b44e8565be929bde1bf148e2109
                      • Instruction ID: 8430217cbe4a8e8b90ade67bf0b0d067f24355eb345b827c9089e830e9d15bbc
                      • Opcode Fuzzy Hash: fbbc9a41c3a039393734afaf6af671ee637d8b44e8565be929bde1bf148e2109
                      • Instruction Fuzzy Hash: 33F0AF3094A68E8FE7A1EFA0CC646E677A0FF46200F0610B6E459C70A2DE78A655C711
                      Function 00007FFD9BA1845D Relevance: .0, Instructions: 45COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA13000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA13000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba13000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8d341e51f451b1d144d0bcada828347b5ea774f87f9badf200fad2f3ff643f73
                      • Instruction ID: c0dace4dcdcf68113bad86a6f72057d81677cf8b97544531df0d0e8e49975272
                      • Opcode Fuzzy Hash: 8d341e51f451b1d144d0bcada828347b5ea774f87f9badf200fad2f3ff643f73
                      • Instruction Fuzzy Hash: 1D01A230B695494AE778AF28C8A45F833D2FB45315F24513ED49BC21E2DE78EA424640
                      Function 00007FFD9BA111FD Relevance: .0, Instructions: 43COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba10000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d5156f6267c6d5d94fe13aee10eecf464d5ca8dd311cb101e8feb35a7e152145
                      • Instruction ID: 43e58a0e919af21089c4934263de13596162c8d3cd5e788dace6207d04203715
                      • Opcode Fuzzy Hash: d5156f6267c6d5d94fe13aee10eecf464d5ca8dd311cb101e8feb35a7e152145
                      • Instruction Fuzzy Hash: 2B01B5A2E0E54D5EFBE5DB5888257A877B0FF65340F1401FBC08CE71A2EE2429418B41
                      Function 00007FFD9BA1BE8D Relevance: .0, Instructions: 42COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA13000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA13000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba13000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ae92d6c5723e1f5714dc26c9ab71934e8fe0d12e426005dcb946c46a12fa4217
                      • Instruction ID: a62c20dc15d0921ef92aa1d4908fbdad627bee8a1915bed537e69dd6fe756e9e
                      • Opcode Fuzzy Hash: ae92d6c5723e1f5714dc26c9ab71934e8fe0d12e426005dcb946c46a12fa4217
                      • Instruction Fuzzy Hash: 16013974A0892C8FCFA9DF58C895BA8B7B1FB69301F5041DAC04DE7251CB71AA85CF01
                      Function 00007FFD9BA15DC7 Relevance: .0, Instructions: 37COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA13000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA13000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba13000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 497cc0d85796151b8b32481b31e0da3700abff2c049ae765e167e5a3e7cba558
                      • Instruction ID: 2be4a3b8c58935f9f6b4544f660317309123e1d15c989374715d12531a7ab1d8
                      • Opcode Fuzzy Hash: 497cc0d85796151b8b32481b31e0da3700abff2c049ae765e167e5a3e7cba558
                      • Instruction Fuzzy Hash: 3901FE70A0992C9FDFA8EF18C894FA9B7B1EB69301F5041DA804DE7251CA71AE85CF01
                      Function 00007FFD9BA1A1AA Relevance: .0, Instructions: 37COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA13000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA13000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba13000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e6364fa4c7c8d8be0996aacc52aae41300c365d61cce50c07466cf792668abd5
                      • Instruction ID: c6315d8f09b65919022fd50adf95fdcf8443ef21aa712153ae57820babbdc246
                      • Opcode Fuzzy Hash: e6364fa4c7c8d8be0996aacc52aae41300c365d61cce50c07466cf792668abd5
                      • Instruction Fuzzy Hash: 6001FE7091892C8FCFE9EB08C894BE9B7B1EB68301F1041E9900DE3660CA71AEC1CF40
                      Function 00007FFD9BA1BDA7 Relevance: .0, Instructions: 36COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA13000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA13000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba13000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b64a803c14659badd6e2260876d1c9546646d1b25a23b74c05edeea364829d28
                      • Instruction ID: e4dc9c67277c47ad5befb73e18552350d2b71626c052bbc973b83089aec0430a
                      • Opcode Fuzzy Hash: b64a803c14659badd6e2260876d1c9546646d1b25a23b74c05edeea364829d28
                      • Instruction Fuzzy Hash: C801127095955D8FCB95EFA8C854FADBBB0FF15300F1400E9D00DD7195DA759945CB00
                      Function 00007FFD9BA1086D Relevance: .0, Instructions: 35COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba10000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 525adabb46436e71df3b6b4453fe3793391af785fbacbba961fdd23567f32d69
                      • Instruction ID: 5ab2c8be717d6da922d20d6aecd658e0f5ab983bf13e82c9f8c740ec62f07902
                      • Opcode Fuzzy Hash: 525adabb46436e71df3b6b4453fe3793391af785fbacbba961fdd23567f32d69
                      • Instruction Fuzzy Hash: 97F0E565A1F38E0AE3A6B77848791E93FA0DF56344F0718BAE495C60E7EC6A5544C201
                      Function 00007FFD9BA14CFD Relevance: .0, Instructions: 34COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA13000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA13000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba13000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 43ebb28d9089d7a296b5a7c54536e96482905b1639c113f3f63513f86f3f9199
                      • Instruction ID: cd592e476af9b282a0e0686f694bbc135acdf24db229cf8c5c7dc52046200a32
                      • Opcode Fuzzy Hash: 43ebb28d9089d7a296b5a7c54536e96482905b1639c113f3f63513f86f3f9199
                      • Instruction Fuzzy Hash: 36F0B634A0991D8FEFA8EB48C895B9473A2EB94305F0111E9D40DE32A0CA75AE818F40
                      Function 00007FFD9BA14CB4 Relevance: .0, Instructions: 30COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA13000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA13000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba13000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7f84420211ecf5bda404e840b2f6d7a89a8652beb317cdf4995b11884aa30d11
                      • Instruction ID: d8a9fd3559293c3b22563536976e1a4783c3b56cbe1009d74ca30530dd544467
                      • Opcode Fuzzy Hash: 7f84420211ecf5bda404e840b2f6d7a89a8652beb317cdf4995b11884aa30d11
                      • Instruction Fuzzy Hash: 49F03034A0E50F4BFEF8DB888465AA42392EF85311F5211B8D41D836B1CDADAE564F40
                      Function 00007FFD9BA1B70C Relevance: .0, Instructions: 22COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA13000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA13000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba13000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8fc4863bc387c31323c94889caf6f0c6c7d63e1dd50d0e4c9a1d1c6898e900c2
                      • Instruction ID: abcd23a43aa75cf71f2672b2a0d58483df15fa49e37bbba946ae1a493e1afdc8
                      • Opcode Fuzzy Hash: 8fc4863bc387c31323c94889caf6f0c6c7d63e1dd50d0e4c9a1d1c6898e900c2
                      • Instruction Fuzzy Hash: 23E08C71A0CA899FC3A4CF9CD0A0626B7D2EB88354F41453DF04EC3A61DAB1A8429740
                      Function 00007FFD9BA170A5 Relevance: .0, Instructions: 22COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA13000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA13000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba13000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2d3edca06f2ca9cd1db03424a324be9f868cc38d5f93ed0664753a680642aada
                      • Instruction ID: 0d4d99095cea273f7ef8fe2db25459376b0598b31d73b421e661a5545d51a3ff
                      • Opcode Fuzzy Hash: 2d3edca06f2ca9cd1db03424a324be9f868cc38d5f93ed0664753a680642aada
                      • Instruction Fuzzy Hash: 9DE04F3280E3C85FD7635B608C215A9BFB0AF43100F4A52D7E4888B0B3E75C6B18C352
                      Function 00007FFD9BA108CA Relevance: .0, Instructions: 16COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba10000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 071a1791b99013fa17abf22c0faa57af3bfe4cef6b97bcc2b40724d6655bafb9
                      • Instruction ID: 9e2760bcdab90fe221cfbcd7f0e00f85abf4a887a3b8e406cb5101ea1b2695cb
                      • Opcode Fuzzy Hash: 071a1791b99013fa17abf22c0faa57af3bfe4cef6b97bcc2b40724d6655bafb9
                      • Instruction Fuzzy Hash: F1D0C931E0940C9EDB94EF98E8515FCB7B5EF48210F0152B7E40DE3191DE312A918644
                      Function 00007FFD9BA112DA Relevance: .0, Instructions: 14COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA10000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba10000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f749b82b03f27bf6fb8d3d3b7b1bd5303bab80b55fb39cb2533ae7ba13e17992
                      • Instruction ID: 916edcd9872918b20c02f2ff3c080478b63ff418a86f0d529835a38c6f7f2b70
                      • Opcode Fuzzy Hash: f749b82b03f27bf6fb8d3d3b7b1bd5303bab80b55fb39cb2533ae7ba13e17992
                      • Instruction Fuzzy Hash: 86D05E7161898A8FDBD9DB18C4917E6B361FF29300F0442B7E80A97446CA206C01CB80
                      Function 00007FFD9BA17D98 Relevance: .0, Instructions: 13COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA13000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA13000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba13000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 710fad565d5b129ef08127c2f35d8229f8c989918f1963e70ef8ed476adb95b3
                      • Instruction ID: c543a1cd07a4760ab04f6013dbce5c12617c436787df93834018494118ce1ca7
                      • Opcode Fuzzy Hash: 710fad565d5b129ef08127c2f35d8229f8c989918f1963e70ef8ed476adb95b3
                      • Instruction Fuzzy Hash: 59C09B127CB51D0AD5D45A5C7C911A4B340D7451317C115B7D909C525AD85B494147C1
                      Function 00007FFD9BA155C4 Relevance: .0, Instructions: 11COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA13000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA13000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba13000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a98f832aea0622f5836717f34c964c3bd7ebb7ed5d694950725a54369edc9411
                      • Instruction ID: abc584e8182186cb4545fc6a9a1f3bcf6997be7f76bddc1fa7e7e00de9f7e4bd
                      • Opcode Fuzzy Hash: a98f832aea0622f5836717f34c964c3bd7ebb7ed5d694950725a54369edc9411
                      • Instruction Fuzzy Hash: 3FD09270E1A50E9EDBA4EFC588645BCBBB1EF54300F651039D019E22A0DEB82541CF00
                      Function 00007FFD9BA13577 Relevance: .0, Instructions: 9COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000C.00000002.1715374863.00007FFD9BA13000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BA13000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_12_2_7ffd9ba13000_BKTxiN.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 604d64d13aaf38fe30b5f3eb7b563c9e6ab27d1bd29d423291c6863b25a324bf
                      • Instruction ID: 99d53e1ccbe7222102ca74be91171cf5006075793e9d3c4f5df9104d3c772f27
                      • Opcode Fuzzy Hash: 604d64d13aaf38fe30b5f3eb7b563c9e6ab27d1bd29d423291c6863b25a324bf
                      • Instruction Fuzzy Hash: 76C0C920E1961D6EDBB0AF54445037866A0AB15700F5110B5C04D92151CA7416808B01