Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Sy3CL61n0uDC55M.exe

Overview

General Information

Sample name:Sy3CL61n0uDC55M.exe
Analysis ID:1448091
MD5:d0f3cf5271f7290a5779928f06bc96c8
SHA1:981c80a9a2994d639c6c2a365c275519318d771e
SHA256:f95c4cfa4575ecce08ce137d4fa5ede9fd4356814c770120dfea81d1e3ed157f
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Sy3CL61n0uDC55M.exe (PID: 6892 cmdline: "C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe" MD5: D0F3CF5271F7290A5779928F06BC96C8)
    • powershell.exe (PID: 352 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 2944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 3444 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7452 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 7132 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dJlGycWPOpq" /XML "C:\Users\user\AppData\Local\Temp\tmp987A.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 4464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Sy3CL61n0uDC55M.exe (PID: 7264 cmdline: "C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe" MD5: D0F3CF5271F7290A5779928F06BC96C8)
    • Sy3CL61n0uDC55M.exe (PID: 7280 cmdline: "C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe" MD5: D0F3CF5271F7290A5779928F06BC96C8)
  • dJlGycWPOpq.exe (PID: 7512 cmdline: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe MD5: D0F3CF5271F7290A5779928F06BC96C8)
    • schtasks.exe (PID: 7604 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dJlGycWPOpq" /XML "C:\Users\user\AppData\Local\Temp\tmpA9CF.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dJlGycWPOpq.exe (PID: 7652 cmdline: "C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe" MD5: D0F3CF5271F7290A5779928F06BC96C8)
    • dJlGycWPOpq.exe (PID: 7660 cmdline: "C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe" MD5: D0F3CF5271F7290A5779928F06BC96C8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "zqamcx.com", "Username": "sender@zqamcx.com", "Password": "Methodman991"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.2923384112.00000000030D8000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000009.00000002.2922567314.0000000002D28000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000009.00000002.2922567314.0000000002CFE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000F.00000002.2923384112.00000000030AE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          0000000B.00000002.1752300058.0000000003D3E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 17 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.Sy3CL61n0uDC55M.exe.44fa5a8.5.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.Sy3CL61n0uDC55M.exe.44fa5a8.5.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                11.2.dJlGycWPOpq.exe.3d3eac0.6.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  11.2.dJlGycWPOpq.exe.3d3eac0.6.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    0.2.Sy3CL61n0uDC55M.exe.44fa5a8.5.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                    • 0x33205:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                    • 0x33277:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                    • 0x33301:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                    • 0x33393:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                    • 0x333fd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                    • 0x3346f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                    • 0x33505:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                    • 0x33595:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                    Click to see the 21 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe", ParentImage: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe, ParentProcessId: 6892, ParentProcessName: Sy3CL61n0uDC55M.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe", ProcessId: 352, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe", ParentImage: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe, ParentProcessId: 6892, ParentProcessName: Sy3CL61n0uDC55M.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe", ProcessId: 352, ProcessName: powershell.exe
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dJlGycWPOpq" /XML "C:\Users\user\AppData\Local\Temp\tmpA9CF.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dJlGycWPOpq" /XML "C:\Users\user\AppData\Local\Temp\tmpA9CF.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe, ParentImage: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe, ParentProcessId: 7512, ParentProcessName: dJlGycWPOpq.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dJlGycWPOpq" /XML "C:\Users\user\AppData\Local\Temp\tmpA9CF.tmp", ProcessId: 7604, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 78.110.166.82, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe, Initiated: true, ProcessId: 7280, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49735
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dJlGycWPOpq" /XML "C:\Users\user\AppData\Local\Temp\tmp987A.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dJlGycWPOpq" /XML "C:\Users\user\AppData\Local\Temp\tmp987A.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe", ParentImage: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe, ParentProcessId: 6892, ParentProcessName: Sy3CL61n0uDC55M.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dJlGycWPOpq" /XML "C:\Users\user\AppData\Local\Temp\tmp987A.tmp", ProcessId: 7132, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe", ParentImage: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe, ParentProcessId: 6892, ParentProcessName: Sy3CL61n0uDC55M.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe", ProcessId: 352, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dJlGycWPOpq" /XML "C:\Users\user\AppData\Local\Temp\tmp987A.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dJlGycWPOpq" /XML "C:\Users\user\AppData\Local\Temp\tmp987A.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe", ParentImage: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe, ParentProcessId: 6892, ParentProcessName: Sy3CL61n0uDC55M.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dJlGycWPOpq" /XML "C:\Users\user\AppData\Local\Temp\tmp987A.tmp", ProcessId: 7132, ProcessName: schtasks.exe

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 11.2.dJlGycWPOpq.exe.3d3eac0.6.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "zqamcx.com", "Username": "sender@zqamcx.com", "Password": "Methodman991"}
                    Multi AV Scanner detection for domain / URL
                    Source: zqamcx.comVirustotal: Detection: 9%Perma Link
                    Source: http://zqamcx.comVirustotal: Detection: 9%Perma Link
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeReversingLabs: Detection: 39%
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeVirustotal: Detection: 48%Perma Link
                    Multi AV Scanner detection for submitted file
                    Source: Sy3CL61n0uDC55M.exeVirustotal: Detection: 48%Perma Link
                    Source: Sy3CL61n0uDC55M.exeReversingLabs: Detection: 39%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: Sy3CL61n0uDC55M.exeJoe Sandbox ML: detected
                    Source: Sy3CL61n0uDC55M.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: Sy3CL61n0uDC55M.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeCode function: 4x nop then jmp 07A7CD3Ah0_2_07A7C2E6
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeCode function: 4x nop then jmp 06DABF8Ah11_2_06DAB536

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 0.2.Sy3CL61n0uDC55M.exe.44fa5a8.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Sy3CL61n0uDC55M.exe.44bdd88.6.raw.unpack, type: UNPACKEDPE
                    Source: global trafficTCP traffic: 192.168.2.4:49735 -> 78.110.166.82:587
                    Source: Joe Sandbox ViewIP Address: 78.110.166.82 78.110.166.82
                    Source: global trafficTCP traffic: 192.168.2.4:49735 -> 78.110.166.82:587
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficDNS traffic detected: DNS query: zqamcx.com
                    Source: Sy3CL61n0uDC55M.exe, dJlGycWPOpq.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                    Source: Sy3CL61n0uDC55M.exe, dJlGycWPOpq.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                    Source: Sy3CL61n0uDC55M.exe, dJlGycWPOpq.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
                    Source: Sy3CL61n0uDC55M.exe, 00000009.00000002.2921005633.00000000011D8000.00000004.00000020.00020000.00000000.sdmp, Sy3CL61n0uDC55M.exe, 00000009.00000002.2934704558.000000000674D000.00000004.00000020.00020000.00000000.sdmp, Sy3CL61n0uDC55M.exe, 00000009.00000002.2934704558.0000000006732000.00000004.00000020.00020000.00000000.sdmp, Sy3CL61n0uDC55M.exe, 00000009.00000002.2921005633.0000000001166000.00000004.00000020.00020000.00000000.sdmp, Sy3CL61n0uDC55M.exe, 00000009.00000002.2922567314.0000000002DD5000.00000004.00000800.00020000.00000000.sdmp, Sy3CL61n0uDC55M.exe, 00000009.00000002.2921005633.00000000011B8000.00000004.00000020.00020000.00000000.sdmp, Sy3CL61n0uDC55M.exe, 00000009.00000002.2922567314.0000000002D06000.00000004.00000800.00020000.00000000.sdmp, dJlGycWPOpq.exe, 0000000F.00000002.2923384112.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, dJlGycWPOpq.exe, 0000000F.00000002.2923384112.0000000003185000.00000004.00000800.00020000.00000000.sdmp, dJlGycWPOpq.exe, 0000000F.00000002.2920231432.0000000001276000.00000004.00000020.00020000.00000000.sdmp, dJlGycWPOpq.exe, 0000000F.00000002.2934918907.00000000068A4000.00000004.00000020.00020000.00000000.sdmp, dJlGycWPOpq.exe, 0000000F.00000002.2934918907.0000000006862000.00000004.00000020.00020000.00000000.sdmp, dJlGycWPOpq.exe, 0000000F.00000002.2920231432.00000000012DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r3.i.lencr.org/0#
                    Source: Sy3CL61n0uDC55M.exe, 00000009.00000002.2921005633.00000000011D8000.00000004.00000020.00020000.00000000.sdmp, Sy3CL61n0uDC55M.exe, 00000009.00000002.2934704558.000000000674D000.00000004.00000020.00020000.00000000.sdmp, Sy3CL61n0uDC55M.exe, 00000009.00000002.2934704558.0000000006732000.00000004.00000020.00020000.00000000.sdmp, Sy3CL61n0uDC55M.exe, 00000009.00000002.2921005633.0000000001166000.00000004.00000020.00020000.00000000.sdmp, Sy3CL61n0uDC55M.exe, 00000009.00000002.2922567314.0000000002DD5000.00000004.00000800.00020000.00000000.sdmp, Sy3CL61n0uDC55M.exe, 00000009.00000002.2921005633.00000000011B8000.00000004.00000020.00020000.00000000.sdmp, Sy3CL61n0uDC55M.exe, 00000009.00000002.2922567314.0000000002D06000.00000004.00000800.00020000.00000000.sdmp, dJlGycWPOpq.exe, 0000000F.00000002.2923384112.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, dJlGycWPOpq.exe, 0000000F.00000002.2923384112.0000000003185000.00000004.00000800.00020000.00000000.sdmp, dJlGycWPOpq.exe, 0000000F.00000002.2920231432.0000000001276000.00000004.00000020.00020000.00000000.sdmp, dJlGycWPOpq.exe, 0000000F.00000002.2934918907.00000000068A4000.00000004.00000020.00020000.00000000.sdmp, dJlGycWPOpq.exe, 0000000F.00000002.2934918907.0000000006862000.00000004.00000020.00020000.00000000.sdmp, dJlGycWPOpq.exe, 0000000F.00000002.2920231432.00000000012DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r3.o.lencr.org0
                    Source: Sy3CL61n0uDC55M.exe, 00000000.00000002.1709863179.0000000003281000.00000004.00000800.00020000.00000000.sdmp, dJlGycWPOpq.exe, 0000000B.00000002.1750055536.0000000002B01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: Sy3CL61n0uDC55M.exe, 00000000.00000002.1715865434.00000000074B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: Sy3CL61n0uDC55M.exe, 00000000.00000002.1715865434.00000000074B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: Sy3CL61n0uDC55M.exe, 00000000.00000002.1715865434.00000000074B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: Sy3CL61n0uDC55M.exe, 00000000.00000002.1715865434.00000000074B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: Sy3CL61n0uDC55M.exe, 00000000.00000002.1715865434.00000000074B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: Sy3CL61n0uDC55M.exe, 00000000.00000002.1715865434.00000000074B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: Sy3CL61n0uDC55M.exe, 00000000.00000002.1715865434.00000000074B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                    Source: Sy3CL61n0uDC55M.exe, 00000000.00000002.1715865434.00000000074B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: Sy3CL61n0uDC55M.exe, 00000000.00000002.1715865434.00000000074B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: Sy3CL61n0uDC55M.exe, 00000000.00000002.1715865434.00000000074B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: Sy3CL61n0uDC55M.exe, 00000000.00000002.1715865434.00000000074B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: Sy3CL61n0uDC55M.exe, 00000000.00000002.1715865434.00000000074B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: Sy3CL61n0uDC55M.exe, 00000000.00000002.1715865434.00000000074B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: Sy3CL61n0uDC55M.exe, 00000000.00000002.1715865434.00000000074B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: Sy3CL61n0uDC55M.exe, 00000000.00000002.1715865434.00000000074B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: Sy3CL61n0uDC55M.exe, 00000000.00000002.1715865434.00000000074B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: Sy3CL61n0uDC55M.exe, 00000000.00000002.1715865434.00000000074B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: Sy3CL61n0uDC55M.exe, 00000000.00000002.1715865434.00000000074B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: Sy3CL61n0uDC55M.exe, 00000000.00000002.1715865434.00000000074B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: Sy3CL61n0uDC55M.exe, 00000000.00000002.1715598824.0000000005CB0000.00000004.00000020.00020000.00000000.sdmp, Sy3CL61n0uDC55M.exe, 00000000.00000002.1715865434.00000000074B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: Sy3CL61n0uDC55M.exe, 00000000.00000002.1715865434.00000000074B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: Sy3CL61n0uDC55M.exe, 00000000.00000002.1715865434.00000000074B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: Sy3CL61n0uDC55M.exe, 00000000.00000002.1715865434.00000000074B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: Sy3CL61n0uDC55M.exe, 00000000.00000002.1715865434.00000000074B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: Sy3CL61n0uDC55M.exe, 00000000.00000002.1715865434.00000000074B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: Sy3CL61n0uDC55M.exe, 00000009.00000002.2921005633.00000000011D8000.00000004.00000020.00020000.00000000.sdmp, Sy3CL61n0uDC55M.exe, 00000009.00000002.2934704558.000000000674D000.00000004.00000020.00020000.00000000.sdmp, Sy3CL61n0uDC55M.exe, 00000009.00000002.2934704558.0000000006732000.00000004.00000020.00020000.00000000.sdmp, Sy3CL61n0uDC55M.exe, 00000009.00000002.2921005633.0000000001166000.00000004.00000020.00020000.00000000.sdmp, Sy3CL61n0uDC55M.exe, 00000009.00000002.2922567314.0000000002DD5000.00000004.00000800.00020000.00000000.sdmp, Sy3CL61n0uDC55M.exe, 00000009.00000002.2921005633.00000000011B8000.00000004.00000020.00020000.00000000.sdmp, Sy3CL61n0uDC55M.exe, 00000009.00000002.2922567314.0000000002D06000.00000004.00000800.00020000.00000000.sdmp, dJlGycWPOpq.exe, 0000000F.00000002.2923384112.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, dJlGycWPOpq.exe, 0000000F.00000002.2923384112.0000000003185000.00000004.00000800.00020000.00000000.sdmp, dJlGycWPOpq.exe, 0000000F.00000002.2920231432.0000000001276000.00000004.00000020.00020000.00000000.sdmp, dJlGycWPOpq.exe, 0000000F.00000002.2920231432.00000000012DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                    Source: Sy3CL61n0uDC55M.exe, 00000009.00000002.2921005633.00000000011D8000.00000004.00000020.00020000.00000000.sdmp, Sy3CL61n0uDC55M.exe, 00000009.00000002.2934704558.000000000674D000.00000004.00000020.00020000.00000000.sdmp, Sy3CL61n0uDC55M.exe, 00000009.00000002.2934704558.0000000006732000.00000004.00000020.00020000.00000000.sdmp, Sy3CL61n0uDC55M.exe, 00000009.00000002.2921005633.0000000001166000.00000004.00000020.00020000.00000000.sdmp, Sy3CL61n0uDC55M.exe, 00000009.00000002.2922567314.0000000002DD5000.00000004.00000800.00020000.00000000.sdmp, Sy3CL61n0uDC55M.exe, 00000009.00000002.2921005633.00000000011B8000.00000004.00000020.00020000.00000000.sdmp, Sy3CL61n0uDC55M.exe, 00000009.00000002.2922567314.0000000002D06000.00000004.00000800.00020000.00000000.sdmp, dJlGycWPOpq.exe, 0000000F.00000002.2923384112.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, dJlGycWPOpq.exe, 0000000F.00000002.2923384112.0000000003185000.00000004.00000800.00020000.00000000.sdmp, dJlGycWPOpq.exe, 0000000F.00000002.2920231432.0000000001276000.00000004.00000020.00020000.00000000.sdmp, dJlGycWPOpq.exe, 0000000F.00000002.2920231432.00000000012DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                    Source: Sy3CL61n0uDC55M.exe, 00000009.00000002.2922567314.0000000002DD5000.00000004.00000800.00020000.00000000.sdmp, Sy3CL61n0uDC55M.exe, 00000009.00000002.2922567314.0000000002D06000.00000004.00000800.00020000.00000000.sdmp, dJlGycWPOpq.exe, 0000000F.00000002.2923384112.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, dJlGycWPOpq.exe, 0000000F.00000002.2923384112.0000000003185000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://zqamcx.com
                    Source: Sy3CL61n0uDC55M.exe, 00000000.00000002.1710833407.00000000044BD000.00000004.00000800.00020000.00000000.sdmp, Sy3CL61n0uDC55M.exe, 00000009.00000002.2919418555.0000000000437000.00000040.00000400.00020000.00000000.sdmp, dJlGycWPOpq.exe, 0000000B.00000002.1752300058.0000000003D3E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: Sy3CL61n0uDC55M.exe, dJlGycWPOpq.exe.0.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.Sy3CL61n0uDC55M.exe.44bdd88.6.raw.unpack, O9KGcRw9bkp.cs.Net Code: KAZ
                    Installs a global keyboard hook
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.Sy3CL61n0uDC55M.exe.44fa5a8.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 11.2.dJlGycWPOpq.exe.3d3eac0.6.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 11.2.dJlGycWPOpq.exe.3d7b2e0.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Sy3CL61n0uDC55M.exe.44bdd88.6.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 11.2.dJlGycWPOpq.exe.3d7b2e0.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 11.2.dJlGycWPOpq.exe.3d3eac0.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Sy3CL61n0uDC55M.exe.44fa5a8.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Sy3CL61n0uDC55M.exe.44bdd88.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    .NET source code contains very large array initializations
                    Source: 0.2.Sy3CL61n0uDC55M.exe.59e0000.8.raw.unpack, .csLarge array initialization: : array initializer size 27103
                    Source: 0.2.Sy3CL61n0uDC55M.exe.32a2e70.3.raw.unpack, .csLarge array initialization: : array initializer size 27103
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeCode function: 0_2_0190D5BC0_2_0190D5BC
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeCode function: 0_2_07A782A80_2_07A782A8
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeCode function: 0_2_07A782B80_2_07A782B8
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeCode function: 0_2_07A762600_2_07A76260
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeCode function: 0_2_07A762530_2_07A76253
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeCode function: 0_2_07A75E280_2_07A75E28
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeCode function: 0_2_07A7EB680_2_07A7EB68
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeCode function: 0_2_07A759F00_2_07A759F0
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeCode function: 0_2_07A779080_2_07A77908
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeCode function: 0_2_07A778F80_2_07A778F8
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeCode function: 9_2_01129B409_2_01129B40
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeCode function: 9_2_01124A889_2_01124A88
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeCode function: 9_2_0112CDC09_2_0112CDC0
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeCode function: 9_2_01123E709_2_01123E70
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeCode function: 9_2_011241B89_2_011241B8
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeCode function: 9_2_059FC9A09_2_059FC9A0
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeCode function: 9_2_059F14809_2_059F1480
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeCode function: 9_2_059F10B89_2_059F10B8
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeCode function: 9_2_06243F389_2_06243F38
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeCode function: 9_2_06242F089_2_06242F08
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeCode function: 9_2_062457609_2_06245760
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeCode function: 9_2_06248C0A9_2_06248C0A
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeCode function: 9_2_0624DD909_2_0624DD90
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeCode function: 9_2_062400409_2_06240040
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeCode function: 9_2_062436379_2_06243637
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeCode function: 9_2_0624BD909_2_0624BD90
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeCode function: 9_2_062450689_2_06245068
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeCode function: 9_2_062449E89_2_062449E8
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeCode function: 11_2_029BD5BC11_2_029BD5BC
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeCode function: 11_2_050C67E011_2_050C67E0
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeCode function: 11_2_050C67D011_2_050C67D0
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeCode function: 11_2_050C000611_2_050C0006
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeCode function: 11_2_050C004011_2_050C0040
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeCode function: 11_2_06DA82B811_2_06DA82B8
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeCode function: 11_2_06DA82A811_2_06DA82A8
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeCode function: 11_2_06DA625311_2_06DA6253
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeCode function: 11_2_06DA626011_2_06DA6260
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeCode function: 11_2_06DA5E2811_2_06DA5E28
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeCode function: 11_2_06DADDB011_2_06DADDB0
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeCode function: 11_2_06DA78F811_2_06DA78F8
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeCode function: 11_2_06DA59F011_2_06DA59F0
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeCode function: 11_2_06DA790811_2_06DA7908
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeCode function: 15_2_02E741B815_2_02E741B8
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeCode function: 15_2_02E74A8815_2_02E74A88
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeCode function: 15_2_02E79B4015_2_02E79B40
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeCode function: 15_2_02E73E7015_2_02E73E70
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeCode function: 15_2_02E7CDC015_2_02E7CDC0
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeCode function: 15_2_02E79BFC15_2_02E79BFC
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeCode function: 15_2_05D0DD9B15_2_05D0DD9B
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeCode function: 15_2_05D08C0A15_2_05D08C0A
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeCode function: 15_2_05D0576015_2_05D05760
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeCode function: 15_2_05D02F0815_2_05D02F08
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeCode function: 15_2_05D0363715_2_05D03637
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeCode function: 15_2_05D049E815_2_05D049E8
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeCode function: 15_2_05D0004015_2_05D00040
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeCode function: 15_2_05D0506815_2_05D05068
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeCode function: 15_2_02E7D16C15_2_02E7D16C
                    Source: Sy3CL61n0uDC55M.exeStatic PE information: invalid certificate
                    Source: Sy3CL61n0uDC55M.exe, 00000000.00000002.1709863179.00000000032CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameb9cb78e8-c1d3-4ab9-8530-a3a5b5ca79e5.exe4 vs Sy3CL61n0uDC55M.exe
                    Source: Sy3CL61n0uDC55M.exe, 00000000.00000002.1708327806.00000000013EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Sy3CL61n0uDC55M.exe
                    Source: Sy3CL61n0uDC55M.exe, 00000000.00000000.1658397539.0000000000F2E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameAJaS.exe4 vs Sy3CL61n0uDC55M.exe
                    Source: Sy3CL61n0uDC55M.exe, 00000000.00000002.1714929748.00000000059E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs Sy3CL61n0uDC55M.exe
                    Source: Sy3CL61n0uDC55M.exe, 00000000.00000002.1709863179.0000000003281000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs Sy3CL61n0uDC55M.exe
                    Source: Sy3CL61n0uDC55M.exe, 00000000.00000002.1710833407.00000000044BD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameb9cb78e8-c1d3-4ab9-8530-a3a5b5ca79e5.exe4 vs Sy3CL61n0uDC55M.exe
                    Source: Sy3CL61n0uDC55M.exe, 00000000.00000002.1710833407.00000000044BD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Sy3CL61n0uDC55M.exe
                    Source: Sy3CL61n0uDC55M.exe, 00000000.00000002.1718498694.00000000079E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Sy3CL61n0uDC55M.exe
                    Source: Sy3CL61n0uDC55M.exe, 00000009.00000002.2919418555.000000000043B000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameb9cb78e8-c1d3-4ab9-8530-a3a5b5ca79e5.exe4 vs Sy3CL61n0uDC55M.exe
                    Source: Sy3CL61n0uDC55M.exe, 00000009.00000002.2920012891.0000000000B99000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Sy3CL61n0uDC55M.exe
                    Source: Sy3CL61n0uDC55M.exeBinary or memory string: OriginalFilenameAJaS.exe4 vs Sy3CL61n0uDC55M.exe
                    Source: Sy3CL61n0uDC55M.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.Sy3CL61n0uDC55M.exe.44fa5a8.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 11.2.dJlGycWPOpq.exe.3d3eac0.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 11.2.dJlGycWPOpq.exe.3d7b2e0.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Sy3CL61n0uDC55M.exe.44bdd88.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 11.2.dJlGycWPOpq.exe.3d7b2e0.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 11.2.dJlGycWPOpq.exe.3d3eac0.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Sy3CL61n0uDC55M.exe.44fa5a8.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Sy3CL61n0uDC55M.exe.44bdd88.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: Sy3CL61n0uDC55M.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: dJlGycWPOpq.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.Sy3CL61n0uDC55M.exe.44bdd88.6.raw.unpack, CMa60k.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Sy3CL61n0uDC55M.exe.44bdd88.6.raw.unpack, CMa60k.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Sy3CL61n0uDC55M.exe.44bdd88.6.raw.unpack, CMa60k.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Sy3CL61n0uDC55M.exe.44bdd88.6.raw.unpack, CMa60k.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Sy3CL61n0uDC55M.exe.44bdd88.6.raw.unpack, EgTglEucnUn.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Sy3CL61n0uDC55M.exe.44bdd88.6.raw.unpack, EgTglEucnUn.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Sy3CL61n0uDC55M.exe.44bdd88.6.raw.unpack, MmVR.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Sy3CL61n0uDC55M.exe.44bdd88.6.raw.unpack, MmVR.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.Sy3CL61n0uDC55M.exe.79e0000.11.raw.unpack, upPrRf8lNFs4VbjrON.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 0.2.Sy3CL61n0uDC55M.exe.79e0000.11.raw.unpack, upPrRf8lNFs4VbjrON.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.Sy3CL61n0uDC55M.exe.45edf60.7.raw.unpack, HorOuCEJxESljx8VlT.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.Sy3CL61n0uDC55M.exe.45edf60.7.raw.unpack, HorOuCEJxESljx8VlT.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.Sy3CL61n0uDC55M.exe.45edf60.7.raw.unpack, HorOuCEJxESljx8VlT.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.Sy3CL61n0uDC55M.exe.79e0000.11.raw.unpack, HorOuCEJxESljx8VlT.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.Sy3CL61n0uDC55M.exe.79e0000.11.raw.unpack, HorOuCEJxESljx8VlT.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.Sy3CL61n0uDC55M.exe.79e0000.11.raw.unpack, HorOuCEJxESljx8VlT.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.Sy3CL61n0uDC55M.exe.45edf60.7.raw.unpack, upPrRf8lNFs4VbjrON.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 0.2.Sy3CL61n0uDC55M.exe.45edf60.7.raw.unpack, upPrRf8lNFs4VbjrON.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@23/15@1/1
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeFile created: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7100:120:WilError_03
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4464:120:WilError_03
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeMutant created: \Sessions\1\BaseNamedObjects\qxgxewTxIAhudKzTjVYx
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2944:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7612:120:WilError_03
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeFile created: C:\Users\user\AppData\Local\Temp\tmp987A.tmpJump to behavior
                    Source: Sy3CL61n0uDC55M.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: Sy3CL61n0uDC55M.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: Sy3CL61n0uDC55M.exeVirustotal: Detection: 48%
                    Source: Sy3CL61n0uDC55M.exeReversingLabs: Detection: 39%
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeFile read: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe:Zone.IdentifierJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe "C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe"
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dJlGycWPOpq" /XML "C:\Users\user\AppData\Local\Temp\tmp987A.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess created: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe "C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe"
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess created: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe "C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dJlGycWPOpq" /XML "C:\Users\user\AppData\Local\Temp\tmpA9CF.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess created: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe "C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe"
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess created: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe "C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe"
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dJlGycWPOpq" /XML "C:\Users\user\AppData\Local\Temp\tmp987A.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess created: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe "C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess created: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe "C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dJlGycWPOpq" /XML "C:\Users\user\AppData\Local\Temp\tmpA9CF.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess created: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe "C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess created: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe "C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: vaultcli.dll
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: secur32.dll
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: schannel.dll
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: mskeyprotect.dll
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: ntasn1.dll
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: ncrypt.dll
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: ncryptsslp.dll
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeSection loaded: dpapi.dll
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: Sy3CL61n0uDC55M.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: Sy3CL61n0uDC55M.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: Sy3CL61n0uDC55M.exe, Form1.cs.Net Code: InitializeComponent contains xor as well as GetObject
                    Source: dJlGycWPOpq.exe.0.dr, Form1.cs.Net Code: InitializeComponent contains xor as well as GetObject
                    Source: 0.2.Sy3CL61n0uDC55M.exe.59e0000.8.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.Sy3CL61n0uDC55M.exe.79e0000.11.raw.unpack, HorOuCEJxESljx8VlT.cs.Net Code: zWTyTR8Q4d System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.Sy3CL61n0uDC55M.exe.45edf60.7.raw.unpack, HorOuCEJxESljx8VlT.cs.Net Code: zWTyTR8Q4d System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.Sy3CL61n0uDC55M.exe.32a2e70.3.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeCode function: 0_2_07A7BF63 push ecx; ret 0_2_07A7BF64
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeCode function: 0_2_07A7CD48 pushfd ; retf 0_2_07A7CD49
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeCode function: 0_2_07A798D8 pushfd ; retf 0_2_07A798E1
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeCode function: 11_2_06DAA638 pushfd ; retf 11_2_06DAA641
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeCode function: 15_2_05D0BD83 push es; iretd 15_2_05D0BD8A
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeCode function: 15_2_05D0C4F9 push cs; iretd 15_2_05D0C4FA
                    Source: Sy3CL61n0uDC55M.exeStatic PE information: section name: .text entropy: 7.953202180657301
                    Source: dJlGycWPOpq.exe.0.drStatic PE information: section name: .text entropy: 7.953202180657301
                    Source: 0.2.Sy3CL61n0uDC55M.exe.79e0000.11.raw.unpack, POBFfEwJTjeNAIFNhR.csHigh entropy of concatenated method names: 'ToString', 'zuvRHyR2Fw', 'zI4Rh3LTFM', 'opHRFAYn1R', 'W6kRnYlTRp', 'XakRXPvALp', 'GdlROr4qiM', 'QY6Rgt81FL', 'x1bRURwKpa', 'Oc4RfoMcoi'
                    Source: 0.2.Sy3CL61n0uDC55M.exe.79e0000.11.raw.unpack, Lk39rRcvdhDKtKcN2q.csHigh entropy of concatenated method names: 'uddpQuYFiO', 'LWZpcu4BM5', 'V3ppy9Yb9K', 'LtLp1l5B72', 'bxnpWCKPSO', 'eD9pIw9PKV', 'rHxpZ3FwFI', 'BV5sbwvMaB', 'DHnsPsoaTO', 'df4sL2Dppt'
                    Source: 0.2.Sy3CL61n0uDC55M.exe.79e0000.11.raw.unpack, Uq73jEdnxVO9MEaXME.csHigh entropy of concatenated method names: 'x5jQdT3YuL', 'fl8QA8dWYx', 'BCkQojTybb', 'Gl1QBi5RVh', 'wDsQe9J8hZ', 'hLeQRi2oSe', 'Hd8bTL3eSXGuVgt6HR', 'JvS5wAePuRyFGYDije', 'DauQQVtW9M', 'QQxQceASTS'
                    Source: 0.2.Sy3CL61n0uDC55M.exe.79e0000.11.raw.unpack, GBdKuHN8Bj87yrZvm2.csHigh entropy of concatenated method names: 'gV3d0mheV6', 'dqfdS2svCa', 'NLudTys1W0', 'YtKdqfNRYU', 'S43dMdV9IQ', 'ONSdkZQMMO', 'VwodivDyLW', 'y2idJub1dI', 'qdDd3OvNAP', 'b4pd5wkpcd'
                    Source: 0.2.Sy3CL61n0uDC55M.exe.79e0000.11.raw.unpack, upPrRf8lNFs4VbjrON.csHigh entropy of concatenated method names: 'a5EWlcwAZe', 'tyVWu3fVlD', 'XRxWjpv8yI', 'ENaW90JhEb', 'PZAWNxs4ic', 'CdRWGjPubQ', 'KedWbVNfgh', 'DeVWPd9f71', 'cSFWLYF77b', 'xDBWm323ie'
                    Source: 0.2.Sy3CL61n0uDC55M.exe.79e0000.11.raw.unpack, G54E15esLglcuB2L6x.csHigh entropy of concatenated method names: 'rswIM90IoS', 'I4TIiqdPTt', 'JlfrFLv9jD', 'IKmrnJcJZ4', 'DWHrX8Jdqh', 'ma0rOV48CL', 'N4jrgCmCsF', 'MbvrULuBx1', 'ioSrfmWjJI', 'uEFr7Mq13v'
                    Source: 0.2.Sy3CL61n0uDC55M.exe.79e0000.11.raw.unpack, j582c5aFQXGYP8gCSS.csHigh entropy of concatenated method names: 'Dispose', 'dElQLs6CJs', 'Y9tEhALB3u', 'N9I44O60C3', 'j08QmagJiW', 'LGbQzJ0pFM', 'ProcessDialogKey', 'zSQEVvjXZy', 'Bx3EQ1NLjF', 'aJvEECwHuB'
                    Source: 0.2.Sy3CL61n0uDC55M.exe.79e0000.11.raw.unpack, x2WxdrhlsxwK2q8VYT.csHigh entropy of concatenated method names: 'UiCvJpiWmd', 'eBov3J4XpP', 'YgPvaIrGgx', 'lvtvhVBIwM', 'rCmvnMCOx0', 'aSevXGZfVR', 'r3NvgSMhkR', 'tZkvUPqjWB', 'AvFv7Jojnr', 'm5HvHyc3yS'
                    Source: 0.2.Sy3CL61n0uDC55M.exe.79e0000.11.raw.unpack, MQmEqMkCAKAow8Supx.csHigh entropy of concatenated method names: 'xBrrqZUjww', 'zJrrkiAjX4', 'VherJhu7Vs', 'skvr3Je8m5', 'i1LreTn6X7', 'RUmrRugB9g', 'tRnrDxH5VL', 'eCfrsa61rl', 'F2erpxWaga', 'fHArwmIvtJ'
                    Source: 0.2.Sy3CL61n0uDC55M.exe.79e0000.11.raw.unpack, HorOuCEJxESljx8VlT.csHigh entropy of concatenated method names: 'XItcxlaFc1', 'rRVc121gGx', 'TpkcW6pCgP', 'VtHcrXJerd', 'q6DcIuJTYN', 'iCwcZtBmuF', 'RMOcdoyEZ1', 'AQ5cArRV12', 'gYKcKBcwvG', 'K51co0YuW8'
                    Source: 0.2.Sy3CL61n0uDC55M.exe.79e0000.11.raw.unpack, B4oYhxXdtG0xbAvrtK.csHigh entropy of concatenated method names: 'loVd12DQkU', 'jIidrGKqgW', 'SOVdZC1TYD', 'v5wZmZlRcb', 'o7QZz5Dgil', 'bLHdV3yAi4', 'vDfdQ1KSrF', 'm2OdE5CSlJ', 'pstdctlxeK', 'T54dy7HUot'
                    Source: 0.2.Sy3CL61n0uDC55M.exe.79e0000.11.raw.unpack, RTrFOHxIZAlFPGXXgt.csHigh entropy of concatenated method names: 'V33DP0mRXJ', 'HaqDmUBNr5', 'UmSsVmVoAs', 'pypsQ4NCN2', 'YV3DH4p2YT', 'L1ODYrJy7n', 'zsaD2v49fH', 'mMDDl6mXoB', 'k7UDuymG28', 'J3TDj24jCo'
                    Source: 0.2.Sy3CL61n0uDC55M.exe.79e0000.11.raw.unpack, pyVVwJACbW7oCLNe6A.csHigh entropy of concatenated method names: 'fJBDoFFCQZ', 'oGRDBMsUyX', 'ToString', 'RJRD1BTo5q', 'bhmDWI6k1q', 'WniDr8DyKy', 'ikYDId36db', 'eNXDZKKr2r', 'L4sDdXMgmF', 'hHpDA27mr7'
                    Source: 0.2.Sy3CL61n0uDC55M.exe.79e0000.11.raw.unpack, xStw0EqmoNZHGsJI1e.csHigh entropy of concatenated method names: 'qB7T0Y4Rl', 'dByqxu6SM', 'JVCk17JVT', 'RcIiRDSlB', 'IN03EUBne', 'ayZ5nrNQR', 'nUIsxRG2BDlrUsTBij', 'C4sb6QPEWCMCZ4Z81Z', 'dPTsHiph3', 'PxRwRTTeN'
                    Source: 0.2.Sy3CL61n0uDC55M.exe.79e0000.11.raw.unpack, N9bpsabfSJNkWcfuOt.csHigh entropy of concatenated method names: 'yhRIan0pbpdyfQ5ZURX', 'AjHvvt0jl8KCYWsBq5T', 'QdDl9q0LRZU6viMYhdg', 'Dq9ZsxCmF2', 'TKXZpPK5rm', 'XGKZwtCeLs', 'A70TNQ01rOYKjksloRf', 'Ehks6k0KKVerIYuJAvS'
                    Source: 0.2.Sy3CL61n0uDC55M.exe.79e0000.11.raw.unpack, wNI90d79Egbvfd75iGA.csHigh entropy of concatenated method names: 'isap0n02qm', 'fcKpSCt7HI', 'rKipTiyffK', 'QnZpq9beRG', 'DmHpMBABCU', 'AyxpkGvysh', 'rWvpiddECL', 'BiSpJ5QOGm', 'xfPp3oyfeH', 'wABp5oRjs1'
                    Source: 0.2.Sy3CL61n0uDC55M.exe.79e0000.11.raw.unpack, EyWifot3JBAm2ZEfDk.csHigh entropy of concatenated method names: 'h3as1BEK40', 'T0osWwZow1', 'QhYsrsxqbs', 'MiysIHZgpu', 'WxdsZ0AgDe', 'WLtsd6Oe4R', 'VeIsAcehf7', 'iaEsK6kTUi', 'VL2sotNFDy', 'FOHsBnDnM6'
                    Source: 0.2.Sy3CL61n0uDC55M.exe.79e0000.11.raw.unpack, EiJum1vLkIqg9hxMlx.csHigh entropy of concatenated method names: 'OXNZ8IulYN', 'qMsZ023luA', 'gdTZT54iHf', 'vPJZqJpyjL', 'PKwZkYaydE', 'YobZikn4rH', 'N2fZ3eBhYg', 'e05Z5876B0', 'AxDa780WyXAkcopS3TJ', 'ljvT7l0CHqNAy9k9DFw'
                    Source: 0.2.Sy3CL61n0uDC55M.exe.79e0000.11.raw.unpack, SpJgEg7TRMJQKBH257r.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xDxwliVwKZ', 'wBpwuk37o3', 'Fv7wjkGcgr', 'gaYw9bLeiJ', 'qu2wNrmPbb', 'VaUwGwc6u8', 'jBRwbbU9Iy'
                    Source: 0.2.Sy3CL61n0uDC55M.exe.79e0000.11.raw.unpack, BqVOFvfipC3BW4Z9nB.csHigh entropy of concatenated method names: 'XNusa7OidK', 'hcXsh16BrR', 'jVhsFdxUgc', 'zrTsnliSUH', 'w9islnwL1b', 'uBbsXRTnk2', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.Sy3CL61n0uDC55M.exe.79e0000.11.raw.unpack, rm8JDSzg8KynBhLVGV.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'on3pviDkle', 'orrpe37YLB', 'MFfpRYMclw', 'CcFpDJM0d0', 'EWNpsYWI0W', 'f1WppDpkMh', 'TkWpwubpFD'
                    Source: 0.2.Sy3CL61n0uDC55M.exe.79e0000.11.raw.unpack, lccbtB1OBP6sCKRABs.csHigh entropy of concatenated method names: 'Pqfe7hndbT', 'BLleYM0Kk9', 'SQYelyp4vw', 'pjMeu1v9dG', 'Y1uehqXxBr', 'mvheFkGoVj', 'hQden8BPqt', 'yraeXTjWu9', 'tWkeOPjGa2', 'PH9eg80wlD'
                    Source: 0.2.Sy3CL61n0uDC55M.exe.79e0000.11.raw.unpack, O5Ws8YBJ9tR4XEJrBr.csHigh entropy of concatenated method names: 'k7IZx7Dk6c', 'DdRZWxtPVd', 'OyeZI0rh7P', 'WAnZdpLCqi', 'WR0ZAwtJLR', 'tyFINqxiXc', 'uF9IGEuCi2', 'HopIb0vMWq', 'bddIPeYOvj', 'l4XILUq1Tn'
                    Source: 0.2.Sy3CL61n0uDC55M.exe.45edf60.7.raw.unpack, POBFfEwJTjeNAIFNhR.csHigh entropy of concatenated method names: 'ToString', 'zuvRHyR2Fw', 'zI4Rh3LTFM', 'opHRFAYn1R', 'W6kRnYlTRp', 'XakRXPvALp', 'GdlROr4qiM', 'QY6Rgt81FL', 'x1bRURwKpa', 'Oc4RfoMcoi'
                    Source: 0.2.Sy3CL61n0uDC55M.exe.45edf60.7.raw.unpack, Lk39rRcvdhDKtKcN2q.csHigh entropy of concatenated method names: 'uddpQuYFiO', 'LWZpcu4BM5', 'V3ppy9Yb9K', 'LtLp1l5B72', 'bxnpWCKPSO', 'eD9pIw9PKV', 'rHxpZ3FwFI', 'BV5sbwvMaB', 'DHnsPsoaTO', 'df4sL2Dppt'
                    Source: 0.2.Sy3CL61n0uDC55M.exe.45edf60.7.raw.unpack, Uq73jEdnxVO9MEaXME.csHigh entropy of concatenated method names: 'x5jQdT3YuL', 'fl8QA8dWYx', 'BCkQojTybb', 'Gl1QBi5RVh', 'wDsQe9J8hZ', 'hLeQRi2oSe', 'Hd8bTL3eSXGuVgt6HR', 'JvS5wAePuRyFGYDije', 'DauQQVtW9M', 'QQxQceASTS'
                    Source: 0.2.Sy3CL61n0uDC55M.exe.45edf60.7.raw.unpack, GBdKuHN8Bj87yrZvm2.csHigh entropy of concatenated method names: 'gV3d0mheV6', 'dqfdS2svCa', 'NLudTys1W0', 'YtKdqfNRYU', 'S43dMdV9IQ', 'ONSdkZQMMO', 'VwodivDyLW', 'y2idJub1dI', 'qdDd3OvNAP', 'b4pd5wkpcd'
                    Source: 0.2.Sy3CL61n0uDC55M.exe.45edf60.7.raw.unpack, upPrRf8lNFs4VbjrON.csHigh entropy of concatenated method names: 'a5EWlcwAZe', 'tyVWu3fVlD', 'XRxWjpv8yI', 'ENaW90JhEb', 'PZAWNxs4ic', 'CdRWGjPubQ', 'KedWbVNfgh', 'DeVWPd9f71', 'cSFWLYF77b', 'xDBWm323ie'
                    Source: 0.2.Sy3CL61n0uDC55M.exe.45edf60.7.raw.unpack, G54E15esLglcuB2L6x.csHigh entropy of concatenated method names: 'rswIM90IoS', 'I4TIiqdPTt', 'JlfrFLv9jD', 'IKmrnJcJZ4', 'DWHrX8Jdqh', 'ma0rOV48CL', 'N4jrgCmCsF', 'MbvrULuBx1', 'ioSrfmWjJI', 'uEFr7Mq13v'
                    Source: 0.2.Sy3CL61n0uDC55M.exe.45edf60.7.raw.unpack, j582c5aFQXGYP8gCSS.csHigh entropy of concatenated method names: 'Dispose', 'dElQLs6CJs', 'Y9tEhALB3u', 'N9I44O60C3', 'j08QmagJiW', 'LGbQzJ0pFM', 'ProcessDialogKey', 'zSQEVvjXZy', 'Bx3EQ1NLjF', 'aJvEECwHuB'
                    Source: 0.2.Sy3CL61n0uDC55M.exe.45edf60.7.raw.unpack, x2WxdrhlsxwK2q8VYT.csHigh entropy of concatenated method names: 'UiCvJpiWmd', 'eBov3J4XpP', 'YgPvaIrGgx', 'lvtvhVBIwM', 'rCmvnMCOx0', 'aSevXGZfVR', 'r3NvgSMhkR', 'tZkvUPqjWB', 'AvFv7Jojnr', 'm5HvHyc3yS'
                    Source: 0.2.Sy3CL61n0uDC55M.exe.45edf60.7.raw.unpack, MQmEqMkCAKAow8Supx.csHigh entropy of concatenated method names: 'xBrrqZUjww', 'zJrrkiAjX4', 'VherJhu7Vs', 'skvr3Je8m5', 'i1LreTn6X7', 'RUmrRugB9g', 'tRnrDxH5VL', 'eCfrsa61rl', 'F2erpxWaga', 'fHArwmIvtJ'
                    Source: 0.2.Sy3CL61n0uDC55M.exe.45edf60.7.raw.unpack, HorOuCEJxESljx8VlT.csHigh entropy of concatenated method names: 'XItcxlaFc1', 'rRVc121gGx', 'TpkcW6pCgP', 'VtHcrXJerd', 'q6DcIuJTYN', 'iCwcZtBmuF', 'RMOcdoyEZ1', 'AQ5cArRV12', 'gYKcKBcwvG', 'K51co0YuW8'
                    Source: 0.2.Sy3CL61n0uDC55M.exe.45edf60.7.raw.unpack, B4oYhxXdtG0xbAvrtK.csHigh entropy of concatenated method names: 'loVd12DQkU', 'jIidrGKqgW', 'SOVdZC1TYD', 'v5wZmZlRcb', 'o7QZz5Dgil', 'bLHdV3yAi4', 'vDfdQ1KSrF', 'm2OdE5CSlJ', 'pstdctlxeK', 'T54dy7HUot'
                    Source: 0.2.Sy3CL61n0uDC55M.exe.45edf60.7.raw.unpack, RTrFOHxIZAlFPGXXgt.csHigh entropy of concatenated method names: 'V33DP0mRXJ', 'HaqDmUBNr5', 'UmSsVmVoAs', 'pypsQ4NCN2', 'YV3DH4p2YT', 'L1ODYrJy7n', 'zsaD2v49fH', 'mMDDl6mXoB', 'k7UDuymG28', 'J3TDj24jCo'
                    Source: 0.2.Sy3CL61n0uDC55M.exe.45edf60.7.raw.unpack, pyVVwJACbW7oCLNe6A.csHigh entropy of concatenated method names: 'fJBDoFFCQZ', 'oGRDBMsUyX', 'ToString', 'RJRD1BTo5q', 'bhmDWI6k1q', 'WniDr8DyKy', 'ikYDId36db', 'eNXDZKKr2r', 'L4sDdXMgmF', 'hHpDA27mr7'
                    Source: 0.2.Sy3CL61n0uDC55M.exe.45edf60.7.raw.unpack, xStw0EqmoNZHGsJI1e.csHigh entropy of concatenated method names: 'qB7T0Y4Rl', 'dByqxu6SM', 'JVCk17JVT', 'RcIiRDSlB', 'IN03EUBne', 'ayZ5nrNQR', 'nUIsxRG2BDlrUsTBij', 'C4sb6QPEWCMCZ4Z81Z', 'dPTsHiph3', 'PxRwRTTeN'
                    Source: 0.2.Sy3CL61n0uDC55M.exe.45edf60.7.raw.unpack, N9bpsabfSJNkWcfuOt.csHigh entropy of concatenated method names: 'yhRIan0pbpdyfQ5ZURX', 'AjHvvt0jl8KCYWsBq5T', 'QdDl9q0LRZU6viMYhdg', 'Dq9ZsxCmF2', 'TKXZpPK5rm', 'XGKZwtCeLs', 'A70TNQ01rOYKjksloRf', 'Ehks6k0KKVerIYuJAvS'
                    Source: 0.2.Sy3CL61n0uDC55M.exe.45edf60.7.raw.unpack, wNI90d79Egbvfd75iGA.csHigh entropy of concatenated method names: 'isap0n02qm', 'fcKpSCt7HI', 'rKipTiyffK', 'QnZpq9beRG', 'DmHpMBABCU', 'AyxpkGvysh', 'rWvpiddECL', 'BiSpJ5QOGm', 'xfPp3oyfeH', 'wABp5oRjs1'
                    Source: 0.2.Sy3CL61n0uDC55M.exe.45edf60.7.raw.unpack, EyWifot3JBAm2ZEfDk.csHigh entropy of concatenated method names: 'h3as1BEK40', 'T0osWwZow1', 'QhYsrsxqbs', 'MiysIHZgpu', 'WxdsZ0AgDe', 'WLtsd6Oe4R', 'VeIsAcehf7', 'iaEsK6kTUi', 'VL2sotNFDy', 'FOHsBnDnM6'
                    Source: 0.2.Sy3CL61n0uDC55M.exe.45edf60.7.raw.unpack, EiJum1vLkIqg9hxMlx.csHigh entropy of concatenated method names: 'OXNZ8IulYN', 'qMsZ023luA', 'gdTZT54iHf', 'vPJZqJpyjL', 'PKwZkYaydE', 'YobZikn4rH', 'N2fZ3eBhYg', 'e05Z5876B0', 'AxDa780WyXAkcopS3TJ', 'ljvT7l0CHqNAy9k9DFw'
                    Source: 0.2.Sy3CL61n0uDC55M.exe.45edf60.7.raw.unpack, SpJgEg7TRMJQKBH257r.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'xDxwliVwKZ', 'wBpwuk37o3', 'Fv7wjkGcgr', 'gaYw9bLeiJ', 'qu2wNrmPbb', 'VaUwGwc6u8', 'jBRwbbU9Iy'
                    Source: 0.2.Sy3CL61n0uDC55M.exe.45edf60.7.raw.unpack, BqVOFvfipC3BW4Z9nB.csHigh entropy of concatenated method names: 'XNusa7OidK', 'hcXsh16BrR', 'jVhsFdxUgc', 'zrTsnliSUH', 'w9islnwL1b', 'uBbsXRTnk2', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.Sy3CL61n0uDC55M.exe.45edf60.7.raw.unpack, rm8JDSzg8KynBhLVGV.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'on3pviDkle', 'orrpe37YLB', 'MFfpRYMclw', 'CcFpDJM0d0', 'EWNpsYWI0W', 'f1WppDpkMh', 'TkWpwubpFD'
                    Source: 0.2.Sy3CL61n0uDC55M.exe.45edf60.7.raw.unpack, lccbtB1OBP6sCKRABs.csHigh entropy of concatenated method names: 'Pqfe7hndbT', 'BLleYM0Kk9', 'SQYelyp4vw', 'pjMeu1v9dG', 'Y1uehqXxBr', 'mvheFkGoVj', 'hQden8BPqt', 'yraeXTjWu9', 'tWkeOPjGa2', 'PH9eg80wlD'
                    Source: 0.2.Sy3CL61n0uDC55M.exe.45edf60.7.raw.unpack, O5Ws8YBJ9tR4XEJrBr.csHigh entropy of concatenated method names: 'k7IZx7Dk6c', 'DdRZWxtPVd', 'OyeZI0rh7P', 'WAnZdpLCqi', 'WR0ZAwtJLR', 'tyFINqxiXc', 'uF9IGEuCi2', 'HopIb0vMWq', 'bddIPeYOvj', 'l4XILUq1Tn'
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeFile created: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dJlGycWPOpq" /XML "C:\Users\user\AppData\Local\Temp\tmp987A.tmp"

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: Sy3CL61n0uDC55M.exe PID: 6892, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: dJlGycWPOpq.exe PID: 7512, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeMemory allocated: 18A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeMemory allocated: 3280000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeMemory allocated: 5280000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeMemory allocated: 8070000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeMemory allocated: 7A80000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeMemory allocated: 9070000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeMemory allocated: A070000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeMemory allocated: 1120000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeMemory allocated: 2CB0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeMemory allocated: 4CB0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeMemory allocated: 1110000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeMemory allocated: 2B00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeMemory allocated: 2910000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeMemory allocated: 73D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeMemory allocated: 6DB0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeMemory allocated: 83D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeMemory allocated: 93D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeMemory allocated: 2E30000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeMemory allocated: 3060000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeMemory allocated: 5060000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 11999922Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 11999969
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 11999859
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 11999750
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 11999640
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7708Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 360Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8237Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 822Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeWindow / User API: threadDelayed 5516Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeWindow / User API: threadDelayed 4286Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeWindow / User API: threadDelayed 2328
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeWindow / User API: threadDelayed 7493
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 6960Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5480Thread sleep count: 7708 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6356Thread sleep count: 360 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7356Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7260Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7324Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7252Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7380Thread sleep count: 39 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7380Thread sleep time: -35971150943733603s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7380Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7380Thread sleep time: -99874s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7392Thread sleep count: 5516 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7380Thread sleep time: -99758s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7380Thread sleep time: -99647s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7380Thread sleep time: -99540s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7380Thread sleep time: -99420s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7380Thread sleep time: -99309s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7380Thread sleep time: -99203s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7392Thread sleep count: 4286 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7380Thread sleep time: -99090s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7380Thread sleep time: -98981s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7380Thread sleep time: -98872s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7380Thread sleep time: -98760s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7380Thread sleep time: -98653s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7380Thread sleep time: -98546s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7380Thread sleep time: -98437s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7380Thread sleep time: -98327s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7380Thread sleep time: -98218s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7380Thread sleep time: -98108s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7380Thread sleep time: -97999s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7380Thread sleep time: -97890s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7380Thread sleep time: -97780s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7380Thread sleep time: -97668s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7380Thread sleep time: -97562s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7380Thread sleep time: -97453s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7380Thread sleep time: -97343s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7380Thread sleep time: -97233s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7380Thread sleep time: -99984s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7380Thread sleep time: -99875s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7380Thread sleep time: -99766s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7380Thread sleep time: -99656s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7380Thread sleep time: -99547s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7380Thread sleep time: -99437s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7380Thread sleep time: -99328s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7380Thread sleep time: -99219s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7380Thread sleep time: -99073s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7380Thread sleep time: -98969s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7380Thread sleep time: -98844s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7380Thread sleep time: -98735s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7380Thread sleep time: -98613s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7380Thread sleep time: -98485s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7380Thread sleep time: -98360s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7380Thread sleep time: -98235s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7380Thread sleep time: -98110s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7380Thread sleep time: -97985s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7380Thread sleep time: -97860s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7380Thread sleep time: -97719s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7380Thread sleep time: -97610s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7380Thread sleep time: -97500s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7380Thread sleep time: -97381s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7380Thread sleep time: -97250s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7380Thread sleep time: -97141s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe TID: 7380Thread sleep time: -11999922s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe TID: 7548Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe TID: 7744Thread sleep count: 38 > 30
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe TID: 7744Thread sleep time: -35048813740048126s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe TID: 7744Thread sleep time: -100000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe TID: 7756Thread sleep count: 2328 > 30
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe TID: 7744Thread sleep time: -99854s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe TID: 7756Thread sleep count: 7493 > 30
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe TID: 7744Thread sleep time: -99749s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe TID: 7744Thread sleep time: -99641s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe TID: 7744Thread sleep time: -99531s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe TID: 7744Thread sleep time: -99394s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe TID: 7744Thread sleep time: -99273s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe TID: 7744Thread sleep time: -99157s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe TID: 7744Thread sleep time: -99032s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe TID: 7744Thread sleep time: -98907s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe TID: 7744Thread sleep time: -98782s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe TID: 7744Thread sleep time: -98657s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe TID: 7744Thread sleep time: -98532s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe TID: 7744Thread sleep time: -98407s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe TID: 7744Thread sleep time: -98297s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe TID: 7744Thread sleep time: -98172s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe TID: 7744Thread sleep time: -98045s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe TID: 7744Thread sleep time: -97938s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe TID: 7744Thread sleep time: -97828s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe TID: 7744Thread sleep time: -97719s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe TID: 7744Thread sleep time: -195220s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe TID: 7744Thread sleep time: -194970s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe TID: 7744Thread sleep time: -194720s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe TID: 7744Thread sleep time: -99985s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe TID: 7744Thread sleep time: -99813s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe TID: 7744Thread sleep time: -99688s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe TID: 7744Thread sleep time: -99563s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe TID: 7744Thread sleep time: -99438s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe TID: 7744Thread sleep time: -99328s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe TID: 7744Thread sleep time: -99219s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe TID: 7744Thread sleep time: -99094s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe TID: 7744Thread sleep time: -98985s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe TID: 7744Thread sleep time: -98860s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe TID: 7744Thread sleep time: -98735s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe TID: 7744Thread sleep time: -98610s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe TID: 7744Thread sleep time: -98485s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe TID: 7744Thread sleep time: -98360s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe TID: 7744Thread sleep time: -98235s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe TID: 7744Thread sleep time: -98110s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe TID: 7744Thread sleep time: -97985s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe TID: 7744Thread sleep time: -97860s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe TID: 7744Thread sleep time: -97735s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe TID: 7744Thread sleep time: -97235s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe TID: 7744Thread sleep time: -11999969s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe TID: 7744Thread sleep time: -11999859s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe TID: 7744Thread sleep time: -11999750s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe TID: 7744Thread sleep time: -11999640s >= -30000s
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 99874Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 99758Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 99647Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 99540Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 99420Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 99309Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 99203Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 99090Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 98981Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 98872Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 98760Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 98653Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 98546Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 98437Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 98327Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 98218Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 98108Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 97999Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 97890Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 97780Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 97668Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 97562Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 97453Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 97343Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 97233Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 99984Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 99875Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 99766Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 99656Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 99547Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 99437Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 99328Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 99219Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 99073Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 98969Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 98844Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 98735Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 98613Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 98485Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 98360Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 98235Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 98110Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 97985Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 97860Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 97719Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 97610Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 97500Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 97381Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 97250Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 97141Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeThread delayed: delay time: 11999922Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 100000
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 99854
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 99749
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 99641
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 99531
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 99394
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 99273
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 99157
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 99032
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 98907
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 98782
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 98657
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 98532
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 98407
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 98297
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 98172
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 98045
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 97938
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 97828
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 97719
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 97610
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 97485
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 97360
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 99985
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 99813
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 99688
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 99563
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 99438
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 99328
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 99219
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 99094
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 98985
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 98860
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 98735
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 98610
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 98485
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 98360
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 98235
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 98110
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 97985
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 97860
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 97735
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 97235
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 11999969
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 11999859
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 11999750
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeThread delayed: delay time: 11999640
                    Source: dJlGycWPOpq.exe, 0000000F.00000002.2920231432.00000000012DD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllXs<
                    Source: Sy3CL61n0uDC55M.exe, 00000000.00000002.1719033498.0000000007FA2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}P=Y
                    Source: Sy3CL61n0uDC55M.exe, 00000009.00000002.2921005633.00000000011D8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe"
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe"
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe"Jump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeMemory written: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeMemory written: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dJlGycWPOpq" /XML "C:\Users\user\AppData\Local\Temp\tmp987A.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess created: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe "C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeProcess created: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe "C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dJlGycWPOpq" /XML "C:\Users\user\AppData\Local\Temp\tmpA9CF.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess created: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe "C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeProcess created: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe "C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeQueries volume information: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeQueries volume information: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.Sy3CL61n0uDC55M.exe.44fa5a8.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.dJlGycWPOpq.exe.3d3eac0.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.dJlGycWPOpq.exe.3d7b2e0.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Sy3CL61n0uDC55M.exe.44bdd88.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.dJlGycWPOpq.exe.3d7b2e0.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.dJlGycWPOpq.exe.3d3eac0.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Sy3CL61n0uDC55M.exe.44fa5a8.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Sy3CL61n0uDC55M.exe.44bdd88.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000F.00000002.2923384112.00000000030D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2922567314.0000000002D28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2922567314.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2923384112.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.1752300058.0000000003D3E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2922567314.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2923384112.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1710833407.00000000044BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Sy3CL61n0uDC55M.exe PID: 6892, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Sy3CL61n0uDC55M.exe PID: 7280, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: dJlGycWPOpq.exe PID: 7512, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: dJlGycWPOpq.exe PID: 7660, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeFile opened: C:\FTP Navigator\Ftplist.txt
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\Sy3CL61n0uDC55M.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: Yara matchFile source: 0.2.Sy3CL61n0uDC55M.exe.44fa5a8.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.dJlGycWPOpq.exe.3d3eac0.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.dJlGycWPOpq.exe.3d7b2e0.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Sy3CL61n0uDC55M.exe.44bdd88.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.dJlGycWPOpq.exe.3d7b2e0.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.dJlGycWPOpq.exe.3d3eac0.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Sy3CL61n0uDC55M.exe.44fa5a8.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Sy3CL61n0uDC55M.exe.44bdd88.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000B.00000002.1752300058.0000000003D3E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2922567314.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2923384112.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1710833407.00000000044BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Sy3CL61n0uDC55M.exe PID: 6892, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Sy3CL61n0uDC55M.exe PID: 7280, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: dJlGycWPOpq.exe PID: 7512, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: dJlGycWPOpq.exe PID: 7660, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.Sy3CL61n0uDC55M.exe.44fa5a8.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.dJlGycWPOpq.exe.3d3eac0.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.dJlGycWPOpq.exe.3d7b2e0.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Sy3CL61n0uDC55M.exe.44bdd88.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.dJlGycWPOpq.exe.3d7b2e0.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.dJlGycWPOpq.exe.3d3eac0.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Sy3CL61n0uDC55M.exe.44fa5a8.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Sy3CL61n0uDC55M.exe.44bdd88.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000F.00000002.2923384112.00000000030D8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2922567314.0000000002D28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2922567314.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2923384112.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.1752300058.0000000003D3E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2922567314.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.2923384112.0000000003061000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1710833407.00000000044BD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Sy3CL61n0uDC55M.exe PID: 6892, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Sy3CL61n0uDC55M.exe PID: 7280, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: dJlGycWPOpq.exe PID: 7512, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: dJlGycWPOpq.exe PID: 7660, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		111
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		21
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    Scheduled Task/Job                    		3
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		1
                    Query Registry                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                    Software Packing                    		NTDS211
                    Security Software Discovery                    		Distributed Component Object Model21
                    Input Capture                    		11
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets1
                    Process Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Masquerading                    		Cached Domain Credentials141
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                    Virtualization/Sandbox Evasion                    		DCSync1
                    Application Window Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
                    Process Injection                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1448091 Sample: Sy3CL61n0uDC55M.exe Startdate: 27/05/2024 Architecture: WINDOWS Score: 100 44 zqamcx.com 2->44 48 Multi AV Scanner detection for domain / URL 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 11 other signatures 2->54 8 Sy3CL61n0uDC55M.exe 7 2->8         started        12 dJlGycWPOpq.exe 5 2->12         started        signatures3 process4 file5 40 C:\Users\user\AppData\...\dJlGycWPOpq.exe, PE32 8->40 dropped 42 C:\Users\user\AppData\Local\...\tmp987A.tmp, XML 8->42 dropped 56 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->56 58 Uses schtasks.exe or at.exe to add and modify task schedules 8->58 60 Adds a directory exclusion to Windows Defender 8->60 14 Sy3CL61n0uDC55M.exe 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        28 2 other processes 8->28 62 Multi AV Scanner detection for dropped file 12->62 64 Machine Learning detection for dropped file 12->64 66 Injects a PE file into a foreign processes 12->66 22 dJlGycWPOpq.exe 12->22         started        24 schtasks.exe 12->24         started        26 dJlGycWPOpq.exe 12->26         started        signatures6 process7 dnsIp8 46 zqamcx.com 78.110.166.82, 49735, 49738, 49739 UKSERVERS-ASUKDedicatedServersHostingandCo-Location United Kingdom 14->46 68 Installs a global keyboard hook 14->68 70 Loading BitLocker PowerShell Module 18->70 30 WmiPrvSE.exe 18->30         started        32 conhost.exe 18->32         started        34 conhost.exe 20->34         started        72 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->72 74 Tries to steal Mail credentials (via file / registry access) 22->74 76 Tries to harvest and steal ftp login credentials 22->76 78 Tries to harvest and steal browser information (history, passwords, etc) 22->78 36 conhost.exe 24->36         started        38 conhost.exe 28->38         started        signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    Sy3CL61n0uDC55M.exe49%VirustotalBrowse
                    Sy3CL61n0uDC55M.exe39%ReversingLabsByteCode-MSIL.Trojan.Barys
                    Sy3CL61n0uDC55M.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe39%ReversingLabsByteCode-MSIL.Trojan.Barys
                    C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe49%VirustotalBrowse

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    zqamcx.com10%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://www.apache.org/licenses/LICENSE-2.00%URL Reputationsafe
                    http://www.fontbureau.com0%URL Reputationsafe
                    http://www.fontbureau.com0%URL Reputationsafe
                    http://www.fontbureau.com/designersG0%URL Reputationsafe
                    http://www.fontbureau.com/designers/?0%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    https://account.dyn.com/0%URL Reputationsafe
                    http://www.fontbureau.com/designers?0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.fontbureau.com/designers0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    https://www.chiark.greenend.org.uk/~sgtatham/putty/00%URL Reputationsafe
                    https://www.chiark.greenend.org.uk/~sgtatham/putty/00%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.fontbureau.com/designers/cabarga.htmlN0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
                    http://x1.c.lencr.org/00%URL Reputationsafe
                    http://x1.i.lencr.org/00%URL Reputationsafe
                    http://x1.i.lencr.org/00%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://r3.o.lencr.org00%URL Reputationsafe
                    http://r3.o.lencr.org00%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.fontbureau.com/designers80%URL Reputationsafe
                    http://www.fonts.com0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    http://r3.i.lencr.org/0#0%URL Reputationsafe
                    http://zqamcx.com0%Avira URL Cloudsafe
                    http://zqamcx.com10%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    zqamcx.com
                    		78.110.166.82
                    		truefalseunknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.apache.org/licenses/LICENSE-2.0Sy3CL61n0uDC55M.exe, 00000000.00000002.1715865434.00000000074B2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.comSy3CL61n0uDC55M.exe, 00000000.00000002.1715865434.00000000074B2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designersGSy3CL61n0uDC55M.exe, 00000000.00000002.1715865434.00000000074B2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers/?Sy3CL61n0uDC55M.exe, 00000000.00000002.1715865434.00000000074B2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cn/bTheSy3CL61n0uDC55M.exe, 00000000.00000002.1715865434.00000000074B2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://account.dyn.com/Sy3CL61n0uDC55M.exe, 00000000.00000002.1710833407.00000000044BD000.00000004.00000800.00020000.00000000.sdmp, Sy3CL61n0uDC55M.exe, 00000009.00000002.2919418555.0000000000437000.00000040.00000400.00020000.00000000.sdmp, dJlGycWPOpq.exe, 0000000B.00000002.1752300058.0000000003D3E000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers?Sy3CL61n0uDC55M.exe, 00000000.00000002.1715865434.00000000074B2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.tiro.comSy3CL61n0uDC55M.exe, 00000000.00000002.1715865434.00000000074B2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designersSy3CL61n0uDC55M.exe, 00000000.00000002.1715865434.00000000074B2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.goodfont.co.krSy3CL61n0uDC55M.exe, 00000000.00000002.1715865434.00000000074B2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.chiark.greenend.org.uk/~sgtatham/putty/0Sy3CL61n0uDC55M.exe, dJlGycWPOpq.exe.0.drfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.carterandcone.comlSy3CL61n0uDC55M.exe, 00000000.00000002.1715865434.00000000074B2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.sajatypeworks.comSy3CL61n0uDC55M.exe, 00000000.00000002.1715865434.00000000074B2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.typography.netDSy3CL61n0uDC55M.exe, 00000000.00000002.1715865434.00000000074B2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers/cabarga.htmlNSy3CL61n0uDC55M.exe, 00000000.00000002.1715865434.00000000074B2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cn/cTheSy3CL61n0uDC55M.exe, 00000000.00000002.1715865434.00000000074B2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.galapagosdesign.com/staff/dennis.htmSy3CL61n0uDC55M.exe, 00000000.00000002.1715865434.00000000074B2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.founder.com.cn/cnSy3CL61n0uDC55M.exe, 00000000.00000002.1715865434.00000000074B2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers/frere-user.htmlSy3CL61n0uDC55M.exe, 00000000.00000002.1715865434.00000000074B2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://x1.c.lencr.org/0Sy3CL61n0uDC55M.exe, 00000009.00000002.2921005633.00000000011D8000.00000004.00000020.00020000.00000000.sdmp, Sy3CL61n0uDC55M.exe, 00000009.00000002.2934704558.000000000674D000.00000004.00000020.00020000.00000000.sdmp, Sy3CL61n0uDC55M.exe, 00000009.00000002.2934704558.0000000006732000.00000004.00000020.00020000.00000000.sdmp, Sy3CL61n0uDC55M.exe, 00000009.00000002.2921005633.0000000001166000.00000004.00000020.00020000.00000000.sdmp, Sy3CL61n0uDC55M.exe, 00000009.00000002.2922567314.0000000002DD5000.00000004.00000800.00020000.00000000.sdmp, Sy3CL61n0uDC55M.exe, 00000009.00000002.2921005633.00000000011B8000.00000004.00000020.00020000.00000000.sdmp, Sy3CL61n0uDC55M.exe, 00000009.00000002.2922567314.0000000002D06000.00000004.00000800.00020000.00000000.sdmp, dJlGycWPOpq.exe, 0000000F.00000002.2923384112.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, dJlGycWPOpq.exe, 0000000F.00000002.2923384112.0000000003185000.00000004.00000800.00020000.00000000.sdmp, dJlGycWPOpq.exe, 0000000F.00000002.2920231432.0000000001276000.00000004.00000020.00020000.00000000.sdmp, dJlGycWPOpq.exe, 0000000F.00000002.2920231432.00000000012DD000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://x1.i.lencr.org/0Sy3CL61n0uDC55M.exe, 00000009.00000002.2921005633.00000000011D8000.00000004.00000020.00020000.00000000.sdmp, Sy3CL61n0uDC55M.exe, 00000009.00000002.2934704558.000000000674D000.00000004.00000020.00020000.00000000.sdmp, Sy3CL61n0uDC55M.exe, 00000009.00000002.2934704558.0000000006732000.00000004.00000020.00020000.00000000.sdmp, Sy3CL61n0uDC55M.exe, 00000009.00000002.2921005633.0000000001166000.00000004.00000020.00020000.00000000.sdmp, Sy3CL61n0uDC55M.exe, 00000009.00000002.2922567314.0000000002DD5000.00000004.00000800.00020000.00000000.sdmp, Sy3CL61n0uDC55M.exe, 00000009.00000002.2921005633.00000000011B8000.00000004.00000020.00020000.00000000.sdmp, Sy3CL61n0uDC55M.exe, 00000009.00000002.2922567314.0000000002D06000.00000004.00000800.00020000.00000000.sdmp, dJlGycWPOpq.exe, 0000000F.00000002.2923384112.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, dJlGycWPOpq.exe, 0000000F.00000002.2923384112.0000000003185000.00000004.00000800.00020000.00000000.sdmp, dJlGycWPOpq.exe, 0000000F.00000002.2920231432.0000000001276000.00000004.00000020.00020000.00000000.sdmp, dJlGycWPOpq.exe, 0000000F.00000002.2920231432.00000000012DD000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.jiyu-kobo.co.jp/Sy3CL61n0uDC55M.exe, 00000000.00000002.1715865434.00000000074B2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://r3.o.lencr.org0Sy3CL61n0uDC55M.exe, 00000009.00000002.2921005633.00000000011D8000.00000004.00000020.00020000.00000000.sdmp, Sy3CL61n0uDC55M.exe, 00000009.00000002.2934704558.000000000674D000.00000004.00000020.00020000.00000000.sdmp, Sy3CL61n0uDC55M.exe, 00000009.00000002.2934704558.0000000006732000.00000004.00000020.00020000.00000000.sdmp, Sy3CL61n0uDC55M.exe, 00000009.00000002.2921005633.0000000001166000.00000004.00000020.00020000.00000000.sdmp, Sy3CL61n0uDC55M.exe, 00000009.00000002.2922567314.0000000002DD5000.00000004.00000800.00020000.00000000.sdmp, Sy3CL61n0uDC55M.exe, 00000009.00000002.2921005633.00000000011B8000.00000004.00000020.00020000.00000000.sdmp, Sy3CL61n0uDC55M.exe, 00000009.00000002.2922567314.0000000002D06000.00000004.00000800.00020000.00000000.sdmp, dJlGycWPOpq.exe, 0000000F.00000002.2923384112.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, dJlGycWPOpq.exe, 0000000F.00000002.2923384112.0000000003185000.00000004.00000800.00020000.00000000.sdmp, dJlGycWPOpq.exe, 0000000F.00000002.2920231432.0000000001276000.00000004.00000020.00020000.00000000.sdmp, dJlGycWPOpq.exe, 0000000F.00000002.2934918907.00000000068A4000.00000004.00000020.00020000.00000000.sdmp, dJlGycWPOpq.exe, 0000000F.00000002.2934918907.0000000006862000.00000004.00000020.00020000.00000000.sdmp, dJlGycWPOpq.exe, 0000000F.00000002.2920231432.00000000012DD000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://www.galapagosdesign.com/DPleaseSy3CL61n0uDC55M.exe, 00000000.00000002.1715865434.00000000074B2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designers8Sy3CL61n0uDC55M.exe, 00000000.00000002.1715865434.00000000074B2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fonts.comSy3CL61n0uDC55M.exe, 00000000.00000002.1715865434.00000000074B2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.sandoll.co.krSy3CL61n0uDC55M.exe, 00000000.00000002.1715865434.00000000074B2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://zqamcx.comSy3CL61n0uDC55M.exe, 00000009.00000002.2922567314.0000000002DD5000.00000004.00000800.00020000.00000000.sdmp, Sy3CL61n0uDC55M.exe, 00000009.00000002.2922567314.0000000002D06000.00000004.00000800.00020000.00000000.sdmp, dJlGycWPOpq.exe, 0000000F.00000002.2923384112.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, dJlGycWPOpq.exe, 0000000F.00000002.2923384112.0000000003185000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 10%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.urwpp.deDPleaseSy3CL61n0uDC55M.exe, 00000000.00000002.1715865434.00000000074B2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.zhongyicts.com.cnSy3CL61n0uDC55M.exe, 00000000.00000002.1715865434.00000000074B2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSy3CL61n0uDC55M.exe, 00000000.00000002.1709863179.0000000003281000.00000004.00000800.00020000.00000000.sdmp, dJlGycWPOpq.exe, 0000000B.00000002.1750055536.0000000002B01000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.sakkal.comSy3CL61n0uDC55M.exe, 00000000.00000002.1715598824.0000000005CB0000.00000004.00000020.00020000.00000000.sdmp, Sy3CL61n0uDC55M.exe, 00000000.00000002.1715865434.00000000074B2000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://r3.i.lencr.org/0#Sy3CL61n0uDC55M.exe, 00000009.00000002.2921005633.00000000011D8000.00000004.00000020.00020000.00000000.sdmp, Sy3CL61n0uDC55M.exe, 00000009.00000002.2934704558.000000000674D000.00000004.00000020.00020000.00000000.sdmp, Sy3CL61n0uDC55M.exe, 00000009.00000002.2934704558.0000000006732000.00000004.00000020.00020000.00000000.sdmp, Sy3CL61n0uDC55M.exe, 00000009.00000002.2921005633.0000000001166000.00000004.00000020.00020000.00000000.sdmp, Sy3CL61n0uDC55M.exe, 00000009.00000002.2922567314.0000000002DD5000.00000004.00000800.00020000.00000000.sdmp, Sy3CL61n0uDC55M.exe, 00000009.00000002.2921005633.00000000011B8000.00000004.00000020.00020000.00000000.sdmp, Sy3CL61n0uDC55M.exe, 00000009.00000002.2922567314.0000000002D06000.00000004.00000800.00020000.00000000.sdmp, dJlGycWPOpq.exe, 0000000F.00000002.2923384112.00000000030B6000.00000004.00000800.00020000.00000000.sdmp, dJlGycWPOpq.exe, 0000000F.00000002.2923384112.0000000003185000.00000004.00000800.00020000.00000000.sdmp, dJlGycWPOpq.exe, 0000000F.00000002.2920231432.0000000001276000.00000004.00000020.00020000.00000000.sdmp, dJlGycWPOpq.exe, 0000000F.00000002.2934918907.00000000068A4000.00000004.00000020.00020000.00000000.sdmp, dJlGycWPOpq.exe, 0000000F.00000002.2934918907.0000000006862000.00000004.00000020.00020000.00000000.sdmp, dJlGycWPOpq.exe, 0000000F.00000002.2920231432.00000000012DD000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    78.110.166.82
                    		zqamcx.comUnited Kingdom
                    		42831UKSERVERS-ASUKDedicatedServersHostingandCo-Locationfalse

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1448091
                    Start date and time:2024-05-27 19:19:06 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 8m 13s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:20
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:Sy3CL61n0uDC55M.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@23/15@1/1
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 177
                    • Number of non-executed functions: 10
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size getting too big, too many NtCreateKey calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtReadVirtualMemory calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    13:19:57API Interceptor2198963x Sleep call for process: Sy3CL61n0uDC55M.exe modified
                    13:19:59API Interceptor40x Sleep call for process: powershell.exe modified
                    13:20:02API Interceptor1496903x Sleep call for process: dJlGycWPOpq.exe modified
                    18:20:01Task SchedulerRun new task: dJlGycWPOpq path: C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    78.110.166.82COB756883.vbsGet hashmaliciousCobaltStrikeBrowse
                    • windowsupdatesolutions.com/ServerCOB.txt
                    Ingreso_SII_Abril_2021.cmdGet hashmaliciousUnknownBrowse
                    • www.emolcl.com/namaste/puma.php
                    Ingreso_SII_Abril_2021.cmdGet hashmaliciousUnknownBrowse
                    • www.emolcl.com/namaste/puma.php

                    Domains

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    zqamcx.comhesaphareketi-01.exeGet hashmaliciousAgentTeslaBrowse
                    • 78.110.166.82
                    FaturaBildirim.exeGet hashmaliciousAgentTeslaBrowse
                    • 78.110.166.82
                    41570002689_20220814_05352297_HesapOzeti.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                    • 78.110.166.82
                    LxSneZ9idc.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                    • 78.110.166.82
                    Bi4ExEJFqF.exeGet hashmaliciousAgentTeslaBrowse
                    • 78.110.166.82
                    Inquiry No PJO-4010574.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                    • 78.110.166.82
                    450230549.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                    • 78.110.166.82
                    hesaphareketi-01.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                    • 78.110.166.82

                    ASNs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    UKSERVERS-ASUKDedicatedServersHostingandCo-Locationhesaphareketi-01.exeGet hashmaliciousAgentTeslaBrowse
                    • 78.110.166.82
                    FaturaBildirim.exeGet hashmaliciousAgentTeslaBrowse
                    • 78.110.166.82
                    41570002689_20220814_05352297_HesapOzeti.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                    • 78.110.166.82
                    PO-20231228003.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                    • 78.110.166.82
                    LxSneZ9idc.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                    • 78.110.166.82
                    Bi4ExEJFqF.exeGet hashmaliciousAgentTeslaBrowse
                    • 78.110.166.82
                    PO20240134.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                    • 78.110.166.82
                    Inquiry No PJO-4010574.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                    • 78.110.166.82
                    PO#25324.exeGet hashmaliciousAgentTeslaBrowse
                    • 78.110.166.82
                    FYI.exeGet hashmaliciousAgentTeslaBrowse
                    • 78.110.166.82

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Sy3CL61n0uDC55M.exe.log

                    Download File
                    Process:C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):1216
                    Entropy (8bit):5.34331486778365
                    Encrypted:false
                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                    MD5:1330C80CAAC9A0FB172F202485E9B1E8
                    SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                    SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                    SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                    Malicious:false
                    Reputation:high, very likely benign file
                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dJlGycWPOpq.exe.log

                    Download File
                    Process:C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):1216
                    Entropy (8bit):5.34331486778365
                    Encrypted:false
                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                    MD5:1330C80CAAC9A0FB172F202485E9B1E8
                    SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                    SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                    SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                    Malicious:false
                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                    Download File
                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):2232
                    Entropy (8bit):5.380747059108785
                    Encrypted:false
                    SSDEEP:48:lylWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMugeoPUyus:lGLHxvIIwLgZ2KRHWLOugYs
                    MD5:844F2045BCDEF300385E9B9F0D4FD9FE
                    SHA1:23190F5644FADE811CA696A3ADCB1862488AC0C4
                    SHA-256:84CC08EA3DD249D7C935B0149EC8EC6FD20BB3745DBD69E9CD278A3A78E97597
                    SHA-512:3F3F79FBF47D232285BC8DDFF58553B7FB5A47B5A06C7A1FA95E9A29110DDCC1927D41D24DBA4A4100C10CB57C3BF0201591E6BCEEA2152D0184065DB96EA7C3
                    Malicious:false
                    Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d5stq10v.fo4.psm1

                    Download File
                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dhu2s35r.250.ps1

                    Download File
                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dmffktij.i1y.psm1

                    Download File
                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eodrkcbo.30h.psm1

                    Download File
                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j352prxp.l4l.ps1

                    Download File
                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mbq2xsjz.hfx.ps1

                    Download File
                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nx3cd1mw.j5a.ps1

                    Download File
                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o2q5wflq.dhe.psm1

                    Download File
                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):60
                    Entropy (8bit):4.038920595031593
                    Encrypted:false
                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                    Malicious:false
                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                    C:\Users\user\AppData\Local\Temp\tmp987A.tmp

                    Download File
                    Process:C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe
                    File Type:XML 1.0 document, ASCII text
                    Category:dropped
                    Size (bytes):1577
                    Entropy (8bit):5.1159554606208575
                    Encrypted:false
                    SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaZxvn:cge1wYrFdOFzOzN33ODOiDdKrsuT4v
                    MD5:C9D86C274D4767AC60464011AE383BFE
                    SHA1:92D9BAE24CE94CA6C2892A89FC2C1EA13B0F3019
                    SHA-256:2B4EE493DFF2527DDDE25EC61BA6ED35C352A20C87C61E74994112A62C8C87B0
                    SHA-512:EDEA407698635A3DD9278C1C3F4C5A83BED9B5E16B541A476A225363F8596ECE74CDA19800C1A1F55BDCB80C0ED72E288E33D342F9A37113F8E4C7DE3354FC0D
                    Malicious:true
                    Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                    C:\Users\user\AppData\Local\Temp\tmpA9CF.tmp

                    Download File
                    Process:C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe
                    File Type:XML 1.0 document, ASCII text
                    Category:dropped
                    Size (bytes):1577
                    Entropy (8bit):5.1159554606208575
                    Encrypted:false
                    SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaZxvn:cge1wYrFdOFzOzN33ODOiDdKrsuT4v
                    MD5:C9D86C274D4767AC60464011AE383BFE
                    SHA1:92D9BAE24CE94CA6C2892A89FC2C1EA13B0F3019
                    SHA-256:2B4EE493DFF2527DDDE25EC61BA6ED35C352A20C87C61E74994112A62C8C87B0
                    SHA-512:EDEA407698635A3DD9278C1C3F4C5A83BED9B5E16B541A476A225363F8596ECE74CDA19800C1A1F55BDCB80C0ED72E288E33D342F9A37113F8E4C7DE3354FC0D
                    Malicious:false
                    Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                    C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe

                    Download File
                    Process:C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe
                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Category:dropped
                    Size (bytes):800264
                    Entropy (8bit):7.909658324024496
                    Encrypted:false
                    SSDEEP:12288:XHXNyvK/hPZmR1f2J3C+dTCienDEB22NsuV1F6Oa4wSvnsGRf4ATI1Rsos+Op0kR:X9yGPnC8GF4m+yYvn54sI1a/+O1
                    MD5:D0F3CF5271F7290A5779928F06BC96C8
                    SHA1:981C80A9A2994D639C6C2A365C275519318D771E
                    SHA-256:F95C4CFA4575ECCE08CE137D4FA5EDE9FD4356814C770120DFEA81D1E3ED157F
                    SHA-512:B9C0FD1949CAA9B9D17BB9A468E50A98DEEC78A80E20172DD8B9B78AEE8B7DD796E3500F69CAEA1196E82F95AE30ACBCD603EA7E83699C064C676669B8E79F58
                    Malicious:true
                    Antivirus:
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    • Antivirus: ReversingLabs, Detection: 39%
                    • Antivirus: Virustotal, Detection: 49%, Browse
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....aTf..............0......@......^.... ........@.. .......................@............@.....................................O........$...............6... ....................................................... ............... ..H............text...d.... ...................... ..`.rsrc....$.......0..................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe:Zone.Identifier

                    Download File
                    Process:C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):26
                    Entropy (8bit):3.95006375643621
                    Encrypted:false
                    SSDEEP:3:ggPYV:rPYV
                    MD5:187F488E27DB4AF347237FE461A079AD
                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                    Malicious:false
                    Preview:[ZoneTransfer]....ZoneId=0

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Entropy (8bit):7.909658324024496
                    TrID:
                    • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                    • Win32 Executable (generic) a (10002005/4) 49.96%
                    • Win16/32 Executable Delphi generic (2074/23) 0.01%
                    • Generic Win/DOS Executable (2004/3) 0.01%
                    • DOS Executable Generic (2002/1) 0.01%
                    File name:Sy3CL61n0uDC55M.exe
                    File size:800'264 bytes
                    MD5:d0f3cf5271f7290a5779928f06bc96c8
                    SHA1:981c80a9a2994d639c6c2a365c275519318d771e
                    SHA256:f95c4cfa4575ecce08ce137d4fa5ede9fd4356814c770120dfea81d1e3ed157f
                    SHA512:b9c0fd1949caa9b9d17bb9a468e50a98deec78a80e20172dd8b9b78aee8b7dd796e3500f69caea1196e82f95ae30acbcd603ea7e83699c064c676669b8e79f58
                    SSDEEP:12288:XHXNyvK/hPZmR1f2J3C+dTCienDEB22NsuV1F6Oa4wSvnsGRf4ATI1Rsos+Op0kR:X9yGPnC8GF4m+yYvn54sI1a/+O1
                    TLSH:6F05236235645F00D6A6D7F14C781AEAAFF6B2AB14B0F61C9CF170CC46A5FA18350B1B
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....aTf..............0......@......^.... ........@.. .......................@............@................................

                    File Icon

                    Icon Hash:b29f0f26342a1507

                    Static PE Info

                    General

                    Entrypoint:0x4bcd5e
                    Entrypoint Section:.text
                    Digitally signed:true
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Time Stamp:0x665461F9 [Mon May 27 10:35:37 2024 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:4
                    OS Version Minor:0
                    File Version Major:4
                    File Version Minor:0
                    Subsystem Version Major:4
                    Subsystem Version Minor:0
                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                    Authenticode Signature

                    Signature Valid:false
                    Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                    Signature Validation Error:The digital signature of the object did not verify
                    Error Number:-2146869232
                    Not Before, Not After
                    • 13/11/2018 00:00:00 08/11/2021 23:59:59
                    Subject Chain
                    • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                    Version:3
                    Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                    Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                    Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                    Serial:7C1118CBBADC95DA3752C46E47A27438

                    Entrypoint Preview

                    Instruction
                    jmp dword ptr [00402000h]
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0xbcd0c0x4f.text
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xbe0000x240c.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0xc00000x3608
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xc20000xc.reloc
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x20000xbad640xbb00071df1fd772b4aa081f9d7f468de295ecFalse0.9400980740307486data7.953202180657301IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    .rsrc0xbe0000x240c0x3000efff54d9a1d8a775dbe4f79237e03a8dFalse0.6735026041666666data6.312782921673373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .reloc0xc20000xc0x10000caea1070615ac084254f0aaf661efabFalse0.0087890625data0.016408464515625623IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountryZLIB Complexity
                    RT_ICON0xbe1000x1de6PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9775280898876404
                    RT_GROUP_ICON0xbfef80x14data1.05
                    RT_VERSION0xbff1c0x2f0SysEx File - IDP0.41888297872340424
                    RT_MANIFEST0xc021c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                    Imports

                    DLLImport
                    mscoree.dll_CorExeMain

                    Network Behavior

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    May 27, 2024 19:20:01.638689995 CEST49735587192.168.2.478.110.166.82
                    May 27, 2024 19:20:01.645489931 CEST5874973578.110.166.82192.168.2.4
                    May 27, 2024 19:20:01.645555019 CEST49735587192.168.2.478.110.166.82
                    May 27, 2024 19:20:02.282296896 CEST5874973578.110.166.82192.168.2.4
                    May 27, 2024 19:20:02.282913923 CEST49735587192.168.2.478.110.166.82
                    May 27, 2024 19:20:02.290285110 CEST5874973578.110.166.82192.168.2.4
                    May 27, 2024 19:20:02.457463980 CEST5874973578.110.166.82192.168.2.4
                    May 27, 2024 19:20:02.468000889 CEST49735587192.168.2.478.110.166.82
                    May 27, 2024 19:20:02.473762035 CEST5874973578.110.166.82192.168.2.4
                    May 27, 2024 19:20:02.641678095 CEST5874973578.110.166.82192.168.2.4
                    May 27, 2024 19:20:02.648094893 CEST49735587192.168.2.478.110.166.82
                    May 27, 2024 19:20:02.653006077 CEST5874973578.110.166.82192.168.2.4
                    May 27, 2024 19:20:02.827325106 CEST5874973578.110.166.82192.168.2.4
                    May 27, 2024 19:20:02.827353954 CEST5874973578.110.166.82192.168.2.4
                    May 27, 2024 19:20:02.827369928 CEST5874973578.110.166.82192.168.2.4
                    May 27, 2024 19:20:02.827388048 CEST5874973578.110.166.82192.168.2.4
                    May 27, 2024 19:20:02.827413082 CEST49735587192.168.2.478.110.166.82
                    May 27, 2024 19:20:02.830275059 CEST49735587192.168.2.478.110.166.82
                    May 27, 2024 19:20:02.849489927 CEST49735587192.168.2.478.110.166.82
                    May 27, 2024 19:20:02.856056929 CEST5874973578.110.166.82192.168.2.4
                    May 27, 2024 19:20:03.032783985 CEST5874973578.110.166.82192.168.2.4
                    May 27, 2024 19:20:03.051404953 CEST49735587192.168.2.478.110.166.82
                    May 27, 2024 19:20:03.056616068 CEST5874973578.110.166.82192.168.2.4
                    May 27, 2024 19:20:03.226463079 CEST5874973578.110.166.82192.168.2.4
                    May 27, 2024 19:20:03.227760077 CEST49735587192.168.2.478.110.166.82
                    May 27, 2024 19:20:03.232768059 CEST5874973578.110.166.82192.168.2.4
                    May 27, 2024 19:20:03.403054953 CEST5874973578.110.166.82192.168.2.4
                    May 27, 2024 19:20:03.403656960 CEST49735587192.168.2.478.110.166.82
                    May 27, 2024 19:20:03.408612967 CEST5874973578.110.166.82192.168.2.4
                    May 27, 2024 19:20:03.578820944 CEST5874973578.110.166.82192.168.2.4
                    May 27, 2024 19:20:03.579118013 CEST49735587192.168.2.478.110.166.82
                    May 27, 2024 19:20:03.584083080 CEST5874973578.110.166.82192.168.2.4
                    May 27, 2024 19:20:03.751840115 CEST5874973578.110.166.82192.168.2.4
                    May 27, 2024 19:20:03.752070904 CEST49735587192.168.2.478.110.166.82
                    May 27, 2024 19:20:03.757080078 CEST5874973578.110.166.82192.168.2.4
                    May 27, 2024 19:20:03.926069021 CEST5874973578.110.166.82192.168.2.4
                    May 27, 2024 19:20:03.926254034 CEST49735587192.168.2.478.110.166.82
                    May 27, 2024 19:20:03.942312002 CEST5874973578.110.166.82192.168.2.4
                    May 27, 2024 19:20:04.109977961 CEST5874973578.110.166.82192.168.2.4
                    May 27, 2024 19:20:04.110867977 CEST49735587192.168.2.478.110.166.82
                    May 27, 2024 19:20:04.110943079 CEST49735587192.168.2.478.110.166.82
                    May 27, 2024 19:20:04.110966921 CEST49735587192.168.2.478.110.166.82
                    May 27, 2024 19:20:04.110985041 CEST49735587192.168.2.478.110.166.82
                    May 27, 2024 19:20:04.116194963 CEST5874973578.110.166.82192.168.2.4
                    May 27, 2024 19:20:04.116225958 CEST5874973578.110.166.82192.168.2.4
                    May 27, 2024 19:20:04.116252899 CEST5874973578.110.166.82192.168.2.4
                    May 27, 2024 19:20:04.116286039 CEST5874973578.110.166.82192.168.2.4
                    May 27, 2024 19:20:04.300928116 CEST5874973578.110.166.82192.168.2.4
                    May 27, 2024 19:20:04.348001957 CEST49735587192.168.2.478.110.166.82
                    May 27, 2024 19:20:04.353180885 CEST5874973578.110.166.82192.168.2.4
                    May 27, 2024 19:20:04.521075010 CEST5874973578.110.166.82192.168.2.4
                    May 27, 2024 19:20:04.523967028 CEST49735587192.168.2.478.110.166.82
                    May 27, 2024 19:20:04.525055885 CEST49738587192.168.2.478.110.166.82
                    May 27, 2024 19:20:04.530226946 CEST5874973878.110.166.82192.168.2.4
                    May 27, 2024 19:20:04.530332088 CEST49738587192.168.2.478.110.166.82
                    May 27, 2024 19:20:05.127528906 CEST5874973878.110.166.82192.168.2.4
                    May 27, 2024 19:20:05.128401995 CEST49738587192.168.2.478.110.166.82
                    May 27, 2024 19:20:05.133304119 CEST5874973878.110.166.82192.168.2.4
                    May 27, 2024 19:20:05.155894041 CEST49739587192.168.2.478.110.166.82
                    May 27, 2024 19:20:05.163902998 CEST5874973978.110.166.82192.168.2.4
                    May 27, 2024 19:20:05.163979053 CEST49739587192.168.2.478.110.166.82
                    May 27, 2024 19:20:05.303633928 CEST5874973878.110.166.82192.168.2.4
                    May 27, 2024 19:20:05.303818941 CEST49738587192.168.2.478.110.166.82
                    May 27, 2024 19:20:05.327395916 CEST5874973878.110.166.82192.168.2.4
                    May 27, 2024 19:20:05.498641968 CEST5874973878.110.166.82192.168.2.4
                    May 27, 2024 19:20:05.499264956 CEST49738587192.168.2.478.110.166.82
                    May 27, 2024 19:20:05.505435944 CEST5874973878.110.166.82192.168.2.4
                    May 27, 2024 19:20:05.711019039 CEST5874973878.110.166.82192.168.2.4
                    May 27, 2024 19:20:05.711077929 CEST5874973878.110.166.82192.168.2.4
                    May 27, 2024 19:20:05.711112976 CEST5874973878.110.166.82192.168.2.4
                    May 27, 2024 19:20:05.711148977 CEST5874973878.110.166.82192.168.2.4
                    May 27, 2024 19:20:05.711174011 CEST49738587192.168.2.478.110.166.82
                    May 27, 2024 19:20:05.711245060 CEST49738587192.168.2.478.110.166.82
                    May 27, 2024 19:20:05.725369930 CEST49738587192.168.2.478.110.166.82
                    May 27, 2024 19:20:05.730561972 CEST5874973878.110.166.82192.168.2.4
                    May 27, 2024 19:20:05.751703024 CEST5874973978.110.166.82192.168.2.4
                    May 27, 2024 19:20:05.773066044 CEST49739587192.168.2.478.110.166.82
                    May 27, 2024 19:20:05.782814026 CEST5874973978.110.166.82192.168.2.4
                    May 27, 2024 19:20:05.929286003 CEST5874973878.110.166.82192.168.2.4
                    May 27, 2024 19:20:05.930437088 CEST49738587192.168.2.478.110.166.82
                    May 27, 2024 19:20:05.936970949 CEST5874973878.110.166.82192.168.2.4
                    May 27, 2024 19:20:05.948923111 CEST5874973978.110.166.82192.168.2.4
                    May 27, 2024 19:20:05.949109077 CEST49739587192.168.2.478.110.166.82
                    May 27, 2024 19:20:05.956851959 CEST5874973978.110.166.82192.168.2.4
                    May 27, 2024 19:20:06.111944914 CEST5874973878.110.166.82192.168.2.4
                    May 27, 2024 19:20:06.112180948 CEST49738587192.168.2.478.110.166.82
                    May 27, 2024 19:20:06.117516994 CEST5874973878.110.166.82192.168.2.4
                    May 27, 2024 19:20:06.119590998 CEST5874973978.110.166.82192.168.2.4
                    May 27, 2024 19:20:06.123953104 CEST49739587192.168.2.478.110.166.82
                    May 27, 2024 19:20:06.139461040 CEST5874973978.110.166.82192.168.2.4
                    May 27, 2024 19:20:06.286593914 CEST5874973878.110.166.82192.168.2.4
                    May 27, 2024 19:20:06.286879063 CEST49738587192.168.2.478.110.166.82
                    May 27, 2024 19:20:06.291821003 CEST5874973878.110.166.82192.168.2.4
                    May 27, 2024 19:20:06.306649923 CEST5874973978.110.166.82192.168.2.4
                    May 27, 2024 19:20:06.306667089 CEST5874973978.110.166.82192.168.2.4
                    May 27, 2024 19:20:06.306683064 CEST5874973978.110.166.82192.168.2.4
                    May 27, 2024 19:20:06.306746960 CEST49739587192.168.2.478.110.166.82
                    May 27, 2024 19:20:06.308199883 CEST49739587192.168.2.478.110.166.82
                    May 27, 2024 19:20:06.313097954 CEST5874973978.110.166.82192.168.2.4
                    May 27, 2024 19:20:06.474066019 CEST5874973878.110.166.82192.168.2.4
                    May 27, 2024 19:20:06.474280119 CEST49738587192.168.2.478.110.166.82
                    May 27, 2024 19:20:06.490663052 CEST5874973978.110.166.82192.168.2.4
                    May 27, 2024 19:20:06.493454933 CEST5874973878.110.166.82192.168.2.4
                    May 27, 2024 19:20:06.547218084 CEST49739587192.168.2.478.110.166.82
                    May 27, 2024 19:20:06.552520037 CEST5874973978.110.166.82192.168.2.4
                    May 27, 2024 19:20:06.682640076 CEST5874973878.110.166.82192.168.2.4
                    May 27, 2024 19:20:06.683053970 CEST49738587192.168.2.478.110.166.82
                    May 27, 2024 19:20:06.688447952 CEST5874973878.110.166.82192.168.2.4
                    May 27, 2024 19:20:06.713784933 CEST5874973978.110.166.82192.168.2.4
                    May 27, 2024 19:20:06.714211941 CEST49739587192.168.2.478.110.166.82
                    May 27, 2024 19:20:06.719238997 CEST5874973978.110.166.82192.168.2.4
                    May 27, 2024 19:20:06.869569063 CEST5874973878.110.166.82192.168.2.4
                    May 27, 2024 19:20:06.869762897 CEST49738587192.168.2.478.110.166.82
                    May 27, 2024 19:20:06.878819942 CEST5874973878.110.166.82192.168.2.4
                    May 27, 2024 19:20:06.894850016 CEST5874973978.110.166.82192.168.2.4
                    May 27, 2024 19:20:06.895117998 CEST49739587192.168.2.478.110.166.82
                    May 27, 2024 19:20:06.901966095 CEST5874973978.110.166.82192.168.2.4
                    May 27, 2024 19:20:07.048722982 CEST5874973878.110.166.82192.168.2.4
                    May 27, 2024 19:20:07.049778938 CEST49738587192.168.2.478.110.166.82
                    May 27, 2024 19:20:07.049971104 CEST49738587192.168.2.478.110.166.82
                    May 27, 2024 19:20:07.050024033 CEST49738587192.168.2.478.110.166.82
                    May 27, 2024 19:20:07.050071955 CEST49738587192.168.2.478.110.166.82
                    May 27, 2024 19:20:07.050187111 CEST49738587192.168.2.478.110.166.82
                    May 27, 2024 19:20:07.050292015 CEST49738587192.168.2.478.110.166.82
                    May 27, 2024 19:20:07.050292015 CEST49738587192.168.2.478.110.166.82
                    May 27, 2024 19:20:07.050326109 CEST49738587192.168.2.478.110.166.82
                    May 27, 2024 19:20:07.050349951 CEST49738587192.168.2.478.110.166.82
                    May 27, 2024 19:20:07.055075884 CEST5874973878.110.166.82192.168.2.4
                    May 27, 2024 19:20:07.059855938 CEST5874973878.110.166.82192.168.2.4
                    May 27, 2024 19:20:07.059868097 CEST5874973878.110.166.82192.168.2.4
                    May 27, 2024 19:20:07.059879065 CEST5874973878.110.166.82192.168.2.4
                    May 27, 2024 19:20:07.061534882 CEST5874973878.110.166.82192.168.2.4
                    May 27, 2024 19:20:07.061548948 CEST5874973878.110.166.82192.168.2.4
                    May 27, 2024 19:20:07.061559916 CEST5874973878.110.166.82192.168.2.4
                    May 27, 2024 19:20:07.061570883 CEST5874973878.110.166.82192.168.2.4
                    May 27, 2024 19:20:07.061580896 CEST5874973878.110.166.82192.168.2.4
                    May 27, 2024 19:20:07.061590910 CEST5874973878.110.166.82192.168.2.4
                    May 27, 2024 19:20:07.065973997 CEST5874973978.110.166.82192.168.2.4
                    May 27, 2024 19:20:07.066265106 CEST49739587192.168.2.478.110.166.82
                    May 27, 2024 19:20:07.071708918 CEST5874973978.110.166.82192.168.2.4
                    May 27, 2024 19:20:07.233053923 CEST5874973978.110.166.82192.168.2.4
                    May 27, 2024 19:20:07.233355999 CEST49739587192.168.2.478.110.166.82
                    May 27, 2024 19:20:07.239370108 CEST5874973978.110.166.82192.168.2.4
                    May 27, 2024 19:20:07.251882076 CEST5874973878.110.166.82192.168.2.4
                    May 27, 2024 19:20:07.331717014 CEST49738587192.168.2.478.110.166.82
                    May 27, 2024 19:20:07.402518988 CEST5874973978.110.166.82192.168.2.4
                    May 27, 2024 19:20:07.402779102 CEST49739587192.168.2.478.110.166.82
                    May 27, 2024 19:20:07.410662889 CEST5874973978.110.166.82192.168.2.4
                    May 27, 2024 19:20:07.573468924 CEST5874973978.110.166.82192.168.2.4
                    May 27, 2024 19:20:07.574287891 CEST49739587192.168.2.478.110.166.82
                    May 27, 2024 19:20:07.574287891 CEST49739587192.168.2.478.110.166.82
                    May 27, 2024 19:20:07.574287891 CEST49739587192.168.2.478.110.166.82
                    May 27, 2024 19:20:07.574287891 CEST49739587192.168.2.478.110.166.82
                    May 27, 2024 19:20:07.579430103 CEST5874973978.110.166.82192.168.2.4
                    May 27, 2024 19:20:07.579479933 CEST5874973978.110.166.82192.168.2.4
                    May 27, 2024 19:20:07.579632044 CEST5874973978.110.166.82192.168.2.4
                    May 27, 2024 19:20:07.579659939 CEST5874973978.110.166.82192.168.2.4
                    May 27, 2024 19:20:07.845649004 CEST5874973978.110.166.82192.168.2.4
                    May 27, 2024 19:20:07.881558895 CEST49739587192.168.2.478.110.166.82
                    May 27, 2024 19:20:07.886630058 CEST5874973978.110.166.82192.168.2.4
                    May 27, 2024 19:20:08.058845997 CEST5874973978.110.166.82192.168.2.4
                    May 27, 2024 19:20:08.062134027 CEST49739587192.168.2.478.110.166.82
                    May 27, 2024 19:20:08.066994905 CEST49740587192.168.2.478.110.166.82
                    May 27, 2024 19:20:08.074697971 CEST5874974078.110.166.82192.168.2.4
                    May 27, 2024 19:20:08.074778080 CEST49740587192.168.2.478.110.166.82
                    May 27, 2024 19:20:08.673966885 CEST5874974078.110.166.82192.168.2.4
                    May 27, 2024 19:20:08.674242020 CEST49740587192.168.2.478.110.166.82
                    May 27, 2024 19:20:08.683439970 CEST5874974078.110.166.82192.168.2.4
                    May 27, 2024 19:20:08.853504896 CEST5874974078.110.166.82192.168.2.4
                    May 27, 2024 19:20:08.853781939 CEST49740587192.168.2.478.110.166.82
                    May 27, 2024 19:20:08.858938932 CEST5874974078.110.166.82192.168.2.4
                    May 27, 2024 19:20:09.028450966 CEST5874974078.110.166.82192.168.2.4
                    May 27, 2024 19:20:09.029023886 CEST49740587192.168.2.478.110.166.82
                    May 27, 2024 19:20:09.037803888 CEST5874974078.110.166.82192.168.2.4
                    May 27, 2024 19:20:09.214171886 CEST5874974078.110.166.82192.168.2.4
                    May 27, 2024 19:20:09.214215040 CEST5874974078.110.166.82192.168.2.4
                    May 27, 2024 19:20:09.214248896 CEST5874974078.110.166.82192.168.2.4
                    May 27, 2024 19:20:09.214286089 CEST5874974078.110.166.82192.168.2.4
                    May 27, 2024 19:20:09.214432955 CEST49740587192.168.2.478.110.166.82
                    May 27, 2024 19:20:09.214432955 CEST49740587192.168.2.478.110.166.82
                    May 27, 2024 19:20:09.216007948 CEST49740587192.168.2.478.110.166.82
                    May 27, 2024 19:20:09.222119093 CEST5874974078.110.166.82192.168.2.4
                    May 27, 2024 19:20:09.402216911 CEST5874974078.110.166.82192.168.2.4
                    May 27, 2024 19:20:09.403284073 CEST49740587192.168.2.478.110.166.82
                    May 27, 2024 19:20:09.408399105 CEST5874974078.110.166.82192.168.2.4
                    May 27, 2024 19:20:09.575858116 CEST5874974078.110.166.82192.168.2.4
                    May 27, 2024 19:20:09.576530933 CEST49740587192.168.2.478.110.166.82
                    May 27, 2024 19:20:09.586638927 CEST5874974078.110.166.82192.168.2.4
                    May 27, 2024 19:20:09.754312038 CEST5874974078.110.166.82192.168.2.4
                    May 27, 2024 19:20:09.762408972 CEST49740587192.168.2.478.110.166.82
                    May 27, 2024 19:20:09.771163940 CEST5874974078.110.166.82192.168.2.4
                    May 27, 2024 19:20:09.938730001 CEST5874974078.110.166.82192.168.2.4
                    May 27, 2024 19:20:09.939054966 CEST49740587192.168.2.478.110.166.82
                    May 27, 2024 19:20:09.945207119 CEST5874974078.110.166.82192.168.2.4
                    May 27, 2024 19:20:10.112421036 CEST5874974078.110.166.82192.168.2.4
                    May 27, 2024 19:20:10.112793922 CEST49740587192.168.2.478.110.166.82
                    May 27, 2024 19:20:10.117856979 CEST5874974078.110.166.82192.168.2.4
                    May 27, 2024 19:20:10.286314011 CEST5874974078.110.166.82192.168.2.4
                    May 27, 2024 19:20:10.286604881 CEST49740587192.168.2.478.110.166.82
                    May 27, 2024 19:20:10.292232990 CEST5874974078.110.166.82192.168.2.4
                    May 27, 2024 19:20:10.462625980 CEST5874974078.110.166.82192.168.2.4
                    May 27, 2024 19:20:10.463079929 CEST49740587192.168.2.478.110.166.82
                    May 27, 2024 19:20:10.463136911 CEST49740587192.168.2.478.110.166.82
                    May 27, 2024 19:20:10.463191986 CEST49740587192.168.2.478.110.166.82
                    May 27, 2024 19:20:10.463191986 CEST49740587192.168.2.478.110.166.82
                    May 27, 2024 19:20:10.463321924 CEST49740587192.168.2.478.110.166.82
                    May 27, 2024 19:20:10.463321924 CEST49740587192.168.2.478.110.166.82
                    May 27, 2024 19:20:10.463377953 CEST49740587192.168.2.478.110.166.82
                    May 27, 2024 19:20:10.463377953 CEST49740587192.168.2.478.110.166.82
                    May 27, 2024 19:20:10.463397980 CEST49740587192.168.2.478.110.166.82
                    May 27, 2024 19:20:10.472239971 CEST5874974078.110.166.82192.168.2.4
                    May 27, 2024 19:20:10.472254992 CEST5874974078.110.166.82192.168.2.4
                    May 27, 2024 19:20:10.472265959 CEST5874974078.110.166.82192.168.2.4
                    May 27, 2024 19:20:10.472276926 CEST5874974078.110.166.82192.168.2.4
                    May 27, 2024 19:20:10.472384930 CEST5874974078.110.166.82192.168.2.4
                    May 27, 2024 19:20:10.472395897 CEST5874974078.110.166.82192.168.2.4
                    May 27, 2024 19:20:10.472706079 CEST5874974078.110.166.82192.168.2.4
                    May 27, 2024 19:20:10.472717047 CEST5874974078.110.166.82192.168.2.4
                    May 27, 2024 19:20:10.472728014 CEST5874974078.110.166.82192.168.2.4
                    May 27, 2024 19:20:10.740348101 CEST5874974078.110.166.82192.168.2.4
                    May 27, 2024 19:20:10.784847021 CEST49740587192.168.2.478.110.166.82
                    May 27, 2024 19:21:41.550775051 CEST49738587192.168.2.478.110.166.82
                    May 27, 2024 19:21:41.557107925 CEST5874973878.110.166.82192.168.2.4
                    May 27, 2024 19:21:41.733095884 CEST5874973878.110.166.82192.168.2.4
                    May 27, 2024 19:21:41.734788895 CEST49738587192.168.2.478.110.166.82
                    May 27, 2024 19:21:45.175862074 CEST49740587192.168.2.478.110.166.82
                    May 27, 2024 19:21:45.180803061 CEST5874974078.110.166.82192.168.2.4
                    May 27, 2024 19:21:45.348922968 CEST5874974078.110.166.82192.168.2.4
                    May 27, 2024 19:21:45.349541903 CEST49740587192.168.2.478.110.166.82

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    May 27, 2024 19:20:01.530575037 CEST5643053192.168.2.41.1.1.1
                    May 27, 2024 19:20:01.631154060 CEST53564301.1.1.1192.168.2.4

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                    May 27, 2024 19:20:01.530575037 CEST192.168.2.41.1.1.10x3451Standard query (0)zqamcx.comA (IP address)IN (0x0001)false

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                    May 27, 2024 19:20:01.631154060 CEST1.1.1.1192.168.2.40x3451No error (0)zqamcx.com78.110.166.82A (IP address)IN (0x0001)false

                    SMTP Packets

                    TimestampSource PortDest PortSource IPDest IPCommands
                    May 27, 2024 19:20:02.282296896 CEST5874973578.110.166.82192.168.2.4220-cphost14.qhoster.net ESMTP Exim 4.96.2 #2 Mon, 27 May 2024 18:20:02 +0100
                    220-We do not authorize the use of this system to transport unsolicited,
                    220 and/or bulk e-mail.
                    May 27, 2024 19:20:02.282913923 CEST49735587192.168.2.478.110.166.82EHLO 675052
                    May 27, 2024 19:20:02.457463980 CEST5874973578.110.166.82192.168.2.4250-cphost14.qhoster.net Hello 675052 [8.46.123.175]
                    250-SIZE 52428800
                    250-8BITMIME
                    250-PIPELINING
                    250-PIPECONNECT
                    250-STARTTLS
                    250 HELP
                    May 27, 2024 19:20:02.468000889 CEST49735587192.168.2.478.110.166.82STARTTLS
                    May 27, 2024 19:20:02.641678095 CEST5874973578.110.166.82192.168.2.4220 TLS go ahead
                    May 27, 2024 19:20:05.127528906 CEST5874973878.110.166.82192.168.2.4220-cphost14.qhoster.net ESMTP Exim 4.96.2 #2 Mon, 27 May 2024 18:20:04 +0100
                    220-We do not authorize the use of this system to transport unsolicited,
                    220 and/or bulk e-mail.
                    May 27, 2024 19:20:05.128401995 CEST49738587192.168.2.478.110.166.82EHLO 675052
                    May 27, 2024 19:20:05.303633928 CEST5874973878.110.166.82192.168.2.4250-cphost14.qhoster.net Hello 675052 [8.46.123.175]
                    250-SIZE 52428800
                    250-8BITMIME
                    250-PIPELINING
                    250-PIPECONNECT
                    250-STARTTLS
                    250 HELP
                    May 27, 2024 19:20:05.303818941 CEST49738587192.168.2.478.110.166.82STARTTLS
                    May 27, 2024 19:20:05.498641968 CEST5874973878.110.166.82192.168.2.4220 TLS go ahead
                    May 27, 2024 19:20:05.751703024 CEST5874973978.110.166.82192.168.2.4220-cphost14.qhoster.net ESMTP Exim 4.96.2 #2 Mon, 27 May 2024 18:20:05 +0100
                    220-We do not authorize the use of this system to transport unsolicited,
                    220 and/or bulk e-mail.
                    May 27, 2024 19:20:05.773066044 CEST49739587192.168.2.478.110.166.82EHLO 675052
                    May 27, 2024 19:20:05.948923111 CEST5874973978.110.166.82192.168.2.4250-cphost14.qhoster.net Hello 675052 [8.46.123.175]
                    250-SIZE 52428800
                    250-8BITMIME
                    250-PIPELINING
                    250-PIPECONNECT
                    250-STARTTLS
                    250 HELP
                    May 27, 2024 19:20:05.949109077 CEST49739587192.168.2.478.110.166.82STARTTLS
                    May 27, 2024 19:20:06.119590998 CEST5874973978.110.166.82192.168.2.4220 TLS go ahead
                    May 27, 2024 19:20:08.673966885 CEST5874974078.110.166.82192.168.2.4220-cphost14.qhoster.net ESMTP Exim 4.96.2 #2 Mon, 27 May 2024 18:20:08 +0100
                    220-We do not authorize the use of this system to transport unsolicited,
                    220 and/or bulk e-mail.
                    May 27, 2024 19:20:08.674242020 CEST49740587192.168.2.478.110.166.82EHLO 675052
                    May 27, 2024 19:20:08.853504896 CEST5874974078.110.166.82192.168.2.4250-cphost14.qhoster.net Hello 675052 [8.46.123.175]
                    250-SIZE 52428800
                    250-8BITMIME
                    250-PIPELINING
                    250-PIPECONNECT
                    250-STARTTLS
                    250 HELP
                    May 27, 2024 19:20:08.853781939 CEST49740587192.168.2.478.110.166.82STARTTLS
                    May 27, 2024 19:20:09.028450966 CEST5874974078.110.166.82192.168.2.4220 TLS go ahead

                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:0
                    Start time:13:19:56
                    Start date:27/05/2024
                    Path:C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe"
                    Imagebase:0xe70000
                    File size:800'264 bytes
                    MD5 hash:D0F3CF5271F7290A5779928F06BC96C8
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1710833407.00000000044BD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1710833407.00000000044BD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:2
                    Start time:13:19:58
                    Start date:27/05/2024
                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe"
                    Imagebase:0x1f0000
                    File size:433'152 bytes
                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:3
                    Start time:13:19:58
                    Start date:27/05/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff7699e0000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:4
                    Start time:13:19:58
                    Start date:27/05/2024
                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe"
                    Imagebase:0x1f0000
                    File size:433'152 bytes
                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:5
                    Start time:13:19:58
                    Start date:27/05/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff7699e0000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:6
                    Start time:13:19:58
                    Start date:27/05/2024
                    Path:C:\Windows\SysWOW64\schtasks.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dJlGycWPOpq" /XML "C:\Users\user\AppData\Local\Temp\tmp987A.tmp"
                    Imagebase:0xf40000
                    File size:187'904 bytes
                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:7
                    Start time:13:19:58
                    Start date:27/05/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff7699e0000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:8
                    Start time:13:19:59
                    Start date:27/05/2024
                    Path:C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe"
                    Imagebase:0x270000
                    File size:800'264 bytes
                    MD5 hash:D0F3CF5271F7290A5779928F06BC96C8
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:9
                    Start time:13:19:59
                    Start date:27/05/2024
                    Path:C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\Sy3CL61n0uDC55M.exe"
                    Imagebase:0x940000
                    File size:800'264 bytes
                    MD5 hash:D0F3CF5271F7290A5779928F06BC96C8
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2922567314.0000000002D28000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2922567314.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2922567314.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2922567314.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    Reputation:low
                    Has exited:false

                    General

                    Target ID:10
                    Start time:13:20:01
                    Start date:27/05/2024
                    Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Imagebase:0x7ff693ab0000
                    File size:496'640 bytes
                    MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                    Has elevated privileges:true
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:11
                    Start time:13:20:01
                    Start date:27/05/2024
                    Path:C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe
                    Imagebase:0x6e0000
                    File size:800'264 bytes
                    MD5 hash:D0F3CF5271F7290A5779928F06BC96C8
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.1752300058.0000000003D3E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000B.00000002.1752300058.0000000003D3E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    Antivirus matches:
                    • Detection: 100%, Joe Sandbox ML
                    • Detection: 39%, ReversingLabs
                    • Detection: 49%, Virustotal, Browse
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:12
                    Start time:13:20:03
                    Start date:27/05/2024
                    Path:C:\Windows\SysWOW64\schtasks.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dJlGycWPOpq" /XML "C:\Users\user\AppData\Local\Temp\tmpA9CF.tmp"
                    Imagebase:0xf40000
                    File size:187'904 bytes
                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:13
                    Start time:13:20:03
                    Start date:27/05/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff7699e0000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:14
                    Start time:13:20:03
                    Start date:27/05/2024
                    Path:C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe"
                    Imagebase:0x220000
                    File size:800'264 bytes
                    MD5 hash:D0F3CF5271F7290A5779928F06BC96C8
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:low
                    Has exited:true

                    General

                    Target ID:15
                    Start time:13:20:03
                    Start date:27/05/2024
                    Path:C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\AppData\Roaming\dJlGycWPOpq.exe"
                    Imagebase:0xc30000
                    File size:800'264 bytes
                    MD5 hash:D0F3CF5271F7290A5779928F06BC96C8
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.2923384112.00000000030D8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.2923384112.00000000030AE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.2923384112.0000000003061000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.2923384112.0000000003061000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    Reputation:low
                    Has exited:false

                    Disassembly

                    Reset < >

                      Execution Graph

                      Execution Coverage:11.3%
                      Dynamic/Decrypted Code Coverage:100%
                      Signature Coverage:0%
                      Total number of Nodes:162
                      Total number of Limit Nodes:6
                      execution_graph 25914 190d690 25915 190d695 DuplicateHandle 25914->25915 25916 190d726 25915->25916 25917 190acb0 25921 190ada8 25917->25921 25929 190ad97 25917->25929 25918 190acbf 25922 190adb9 25921->25922 25923 190addc 25921->25923 25922->25923 25937 190b030 25922->25937 25941 190b040 25922->25941 25923->25918 25924 190add4 25924->25923 25925 190afe0 GetModuleHandleW 25924->25925 25926 190b00d 25925->25926 25926->25918 25930 190adb9 25929->25930 25931 190addc 25929->25931 25930->25931 25935 190b030 LoadLibraryExW 25930->25935 25936 190b040 LoadLibraryExW 25930->25936 25931->25918 25932 190add4 25932->25931 25933 190afe0 GetModuleHandleW 25932->25933 25934 190b00d 25933->25934 25934->25918 25935->25932 25936->25932 25938 190b054 25937->25938 25939 190b079 25938->25939 25945 190a130 25938->25945 25939->25924 25942 190b054 25941->25942 25943 190b079 25942->25943 25944 190a130 LoadLibraryExW 25942->25944 25943->25924 25944->25943 25946 190b220 LoadLibraryExW 25945->25946 25948 190b299 25946->25948 25948->25939 25956 190d040 25957 190d045 GetCurrentProcess 25956->25957 25959 190d0d1 25957->25959 25960 190d0d8 GetCurrentThread 25957->25960 25959->25960 25961 190d115 GetCurrentProcess 25960->25961 25962 190d10e 25960->25962 25963 190d14b 25961->25963 25962->25961 25964 190d173 GetCurrentThreadId 25963->25964 25965 190d1a4 25964->25965 25949 7a7d080 25950 7a7d20b 25949->25950 25951 7a7d0a6 25949->25951 25951->25950 25953 7a798cc 25951->25953 25954 7a7d300 PostMessageW 25953->25954 25955 7a7d36c 25954->25955 25955->25951 25966 7a790be 25967 7a78e54 25966->25967 25968 7a78ebf 25967->25968 25972 7a7be16 25967->25972 25988 7a7bdb0 25967->25988 26003 7a7bda1 25967->26003 25973 7a7bda4 25972->25973 25975 7a7be19 25972->25975 25974 7a7bdd2 25973->25974 26018 7a7c3bd 25973->26018 26022 7a7c7de 25973->26022 26027 7a7c2be 25973->26027 26032 7a7c2d0 25973->26032 26037 7a7c34e 25973->26037 26043 7a7c1cf 25973->26043 26047 7a7c500 25973->26047 26052 7a7c984 25973->26052 26056 7a7c385 25973->26056 26061 7a7c71b 25973->26061 26066 7a7c25c 25973->26066 26071 7a7c45d 25973->26071 25974->25968 25975->25968 25989 7a7bdca 25988->25989 25990 7a7bdd2 25989->25990 25991 7a7c385 2 API calls 25989->25991 25992 7a7c984 2 API calls 25989->25992 25993 7a7c500 2 API calls 25989->25993 25994 7a7c1cf 2 API calls 25989->25994 25995 7a7c34e 2 API calls 25989->25995 25996 7a7c2d0 2 API calls 25989->25996 25997 7a7c2be 2 API calls 25989->25997 25998 7a7c7de 2 API calls 25989->25998 25999 7a7c3bd 2 API calls 25989->25999 26000 7a7c45d 2 API calls 25989->26000 26001 7a7c25c 2 API calls 25989->26001 26002 7a7c71b 2 API calls 25989->26002 25990->25968 25991->25990 25992->25990 25993->25990 25994->25990 25995->25990 25996->25990 25997->25990 25998->25990 25999->25990 26000->25990 26001->25990 26002->25990 26004 7a7bda4 26003->26004 26005 7a7bdd2 26004->26005 26006 7a7c385 2 API calls 26004->26006 26007 7a7c984 2 API calls 26004->26007 26008 7a7c500 2 API calls 26004->26008 26009 7a7c1cf 2 API calls 26004->26009 26010 7a7c34e 2 API calls 26004->26010 26011 7a7c2d0 2 API calls 26004->26011 26012 7a7c2be 2 API calls 26004->26012 26013 7a7c7de 2 API calls 26004->26013 26014 7a7c3bd 2 API calls 26004->26014 26015 7a7c45d 2 API calls 26004->26015 26016 7a7c25c 2 API calls 26004->26016 26017 7a7c71b 2 API calls 26004->26017 26005->25968 26006->26005 26007->26005 26008->26005 26009->26005 26010->26005 26011->26005 26012->26005 26013->26005 26014->26005 26015->26005 26016->26005 26017->26005 26019 7a7c843 26018->26019 26076 7a787b0 26019->26076 26080 7a787aa 26019->26080 26023 7a7c7e4 26022->26023 26084 7a78130 26023->26084 26088 7a7812e 26023->26088 26024 7a7c811 26028 7a7c51a 26027->26028 26092 7a781e0 26028->26092 26096 7a781d8 26028->26096 26029 7a7c230 26033 7a7c830 26032->26033 26035 7a787b0 WriteProcessMemory 26033->26035 26036 7a787aa WriteProcessMemory 26033->26036 26034 7a7c230 26035->26034 26036->26034 26038 7a7c230 26037->26038 26039 7a7c355 26037->26039 26100 7a786f0 26039->26100 26104 7a786ef 26039->26104 26040 7a7c370 26108 7a78a2e 26043->26108 26112 7a78a38 26043->26112 26048 7a7c39c 26047->26048 26050 7a78130 ResumeThread 26048->26050 26051 7a7812e ResumeThread 26048->26051 26049 7a7c811 26049->26049 26050->26049 26051->26049 26054 7a781e0 Wow64SetThreadContext 26052->26054 26055 7a781d8 Wow64SetThreadContext 26052->26055 26053 7a7c99e 26054->26053 26055->26053 26057 7a7c38b 26056->26057 26059 7a78130 ResumeThread 26057->26059 26060 7a7812e ResumeThread 26057->26060 26058 7a7c811 26059->26058 26060->26058 26062 7a7c721 26061->26062 26064 7a78130 ResumeThread 26062->26064 26065 7a7812e ResumeThread 26062->26065 26063 7a7c811 26064->26063 26065->26063 26067 7a7c262 26066->26067 26116 7a788a0 26067->26116 26120 7a78898 26067->26120 26068 7a7c285 26068->25974 26072 7a7c480 26071->26072 26074 7a787b0 WriteProcessMemory 26072->26074 26075 7a787aa WriteProcessMemory 26072->26075 26073 7a7c5dc 26073->25974 26074->26073 26075->26073 26077 7a787f8 WriteProcessMemory 26076->26077 26079 7a7884f 26077->26079 26079->26019 26081 7a787b0 WriteProcessMemory 26080->26081 26083 7a7884f 26081->26083 26083->26019 26085 7a78170 ResumeThread 26084->26085 26087 7a781a1 26085->26087 26087->26024 26089 7a78130 ResumeThread 26088->26089 26091 7a781a1 26089->26091 26091->26024 26093 7a78225 Wow64SetThreadContext 26092->26093 26095 7a7826d 26093->26095 26095->26029 26097 7a781e0 Wow64SetThreadContext 26096->26097 26099 7a7826d 26097->26099 26099->26029 26101 7a78730 VirtualAllocEx 26100->26101 26103 7a7876d 26101->26103 26103->26040 26105 7a786f0 VirtualAllocEx 26104->26105 26107 7a7876d 26105->26107 26107->26040 26109 7a78ac1 CreateProcessA 26108->26109 26111 7a78c83 26109->26111 26111->26111 26113 7a78ac1 CreateProcessA 26112->26113 26115 7a78c83 26113->26115 26115->26115 26117 7a788eb ReadProcessMemory 26116->26117 26119 7a7892f 26117->26119 26119->26068 26121 7a788a0 ReadProcessMemory 26120->26121 26123 7a7892f 26121->26123 26123->26068

                      Executed Functions

                      Function 07A7C2E6 Relevance: .0, Instructions: 16COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1718805661.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7a70000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d865f3ba581d58aab7e2a7ac807c1168c2f4986655433867b3f80881671a05fb
                      • Instruction ID: b0ff9ad09c8a55a1dd64bffd7bd0710784c5ea20290ec485d29a97c06d6c38ea
                      • Opcode Fuzzy Hash: d865f3ba581d58aab7e2a7ac807c1168c2f4986655433867b3f80881671a05fb
                      • Instruction Fuzzy Hash: ADC048B6EAE008D289001CD8AC814F8EB3C83CB076E803462D23EA22035510922685AA
                      Function 0190D031 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 294 190d031-190d03e 295 190d040-190d044 294->295 296 190d045-190d0cf GetCurrentProcess 294->296 295->296 300 190d0d1-190d0d7 296->300 301 190d0d8-190d10c GetCurrentThread 296->301 300->301 302 190d115-190d149 GetCurrentProcess 301->302 303 190d10e-190d114 301->303 304 190d152-190d16d call 190d618 302->304 305 190d14b-190d151 302->305 303->302 309 190d173-190d1a2 GetCurrentThreadId 304->309 305->304 310 190d1a4-190d1aa 309->310 311 190d1ab-190d20d 309->311 310->311
                      APIs
                      • GetCurrentProcess.KERNEL32 ref: 0190D0BE
                      • GetCurrentThread.KERNEL32 ref: 0190D0FB
                      • GetCurrentProcess.KERNEL32 ref: 0190D138
                      • GetCurrentThreadId.KERNEL32 ref: 0190D191
                      Memory Dump Source
                      • Source File: 00000000.00000002.1709200230.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1900000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID: Current$ProcessThread
                      • String ID:
                      • API String ID: 2063062207-0
                      • Opcode ID: e72fac028099725fd0c0194456020fdaa8baa79c2a434f31eca24dd02d7e1ef5
                      • Instruction ID: d0bb137da67de40848bb3a956b3e0ab554e7bb0f99087c96240bcdf8492fb8da
                      • Opcode Fuzzy Hash: e72fac028099725fd0c0194456020fdaa8baa79c2a434f31eca24dd02d7e1ef5
                      • Instruction Fuzzy Hash: 2F5166B09003498FDB58DFA9D948B9EBBF5FF88314F20C459E409A7390DB749984CB65
                      Function 0190D040 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 318 190d040-190d0cf GetCurrentProcess 323 190d0d1-190d0d7 318->323 324 190d0d8-190d10c GetCurrentThread 318->324 323->324 325 190d115-190d149 GetCurrentProcess 324->325 326 190d10e-190d114 324->326 327 190d152-190d16d call 190d618 325->327 328 190d14b-190d151 325->328 326->325 332 190d173-190d1a2 GetCurrentThreadId 327->332 328->327 333 190d1a4-190d1aa 332->333 334 190d1ab-190d20d 332->334 333->334
                      APIs
                      • GetCurrentProcess.KERNEL32 ref: 0190D0BE
                      • GetCurrentThread.KERNEL32 ref: 0190D0FB
                      • GetCurrentProcess.KERNEL32 ref: 0190D138
                      • GetCurrentThreadId.KERNEL32 ref: 0190D191
                      Memory Dump Source
                      • Source File: 00000000.00000002.1709200230.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1900000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID: Current$ProcessThread
                      • String ID:
                      • API String ID: 2063062207-0
                      • Opcode ID: f24cfe431a81693abb3bbd9ce1fcdc6a3b40f885bcdf3adff28bf258ba10d33f
                      • Instruction ID: 69ea8f840140b5c336ace0956b543a040d5dbc976ffd52eb9e717d1b16f2f074
                      • Opcode Fuzzy Hash: f24cfe431a81693abb3bbd9ce1fcdc6a3b40f885bcdf3adff28bf258ba10d33f
                      • Instruction Fuzzy Hash: 345165B09003098FDB58DFA9D948B9EBBF1FF88314F20C459E409A7390DB749984CB65
                      Function 07A78A2E Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 406 7a78a2e-7a78acd 408 7a78b06-7a78b26 406->408 409 7a78acf-7a78ad9 406->409 416 7a78b5f-7a78b8e 408->416 417 7a78b28-7a78b32 408->417 409->408 410 7a78adb-7a78add 409->410 411 7a78b00-7a78b03 410->411 412 7a78adf-7a78ae9 410->412 411->408 414 7a78aed-7a78afc 412->414 415 7a78aeb 412->415 414->414 418 7a78afe 414->418 415->414 423 7a78bc7-7a78c81 CreateProcessA 416->423 424 7a78b90-7a78b9a 416->424 417->416 419 7a78b34-7a78b36 417->419 418->411 421 7a78b59-7a78b5c 419->421 422 7a78b38-7a78b42 419->422 421->416 425 7a78b46-7a78b55 422->425 426 7a78b44 422->426 437 7a78c83-7a78c89 423->437 438 7a78c8a-7a78d10 423->438 424->423 428 7a78b9c-7a78b9e 424->428 425->425 427 7a78b57 425->427 426->425 427->421 429 7a78bc1-7a78bc4 428->429 430 7a78ba0-7a78baa 428->430 429->423 432 7a78bae-7a78bbd 430->432 433 7a78bac 430->433 432->432 435 7a78bbf 432->435 433->432 435->429 437->438 448 7a78d12-7a78d16 438->448 449 7a78d20-7a78d24 438->449 448->449 450 7a78d18 448->450 451 7a78d26-7a78d2a 449->451 452 7a78d34-7a78d38 449->452 450->449 451->452 453 7a78d2c 451->453 454 7a78d3a-7a78d3e 452->454 455 7a78d48-7a78d4c 452->455 453->452 454->455 456 7a78d40 454->456 457 7a78d5e-7a78d65 455->457 458 7a78d4e-7a78d54 455->458 456->455 459 7a78d67-7a78d76 457->459 460 7a78d7c 457->460 458->457 459->460 462 7a78d7d 460->462 462->462
                      APIs
                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07A78C6E
                      Memory Dump Source
                      • Source File: 00000000.00000002.1718805661.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7a70000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID: CreateProcess
                      • String ID:
                      • API String ID: 963392458-0
                      • Opcode ID: 872b9411a01b8accd34e5d155b00e7e335c036cc250e77cc1977b73f84cf364f
                      • Instruction ID: b694251d965d10709e42175eac649564086cea28b1df8d985f6d0e64bd693b3e
                      • Opcode Fuzzy Hash: 872b9411a01b8accd34e5d155b00e7e335c036cc250e77cc1977b73f84cf364f
                      • Instruction Fuzzy Hash: 93A15BB1D0021ACFDB10CFA9CC457DDBBB2BF88314F148569D819A7240DB789985CF92
                      Function 07A78A38 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 463 7a78a38-7a78acd 465 7a78b06-7a78b26 463->465 466 7a78acf-7a78ad9 463->466 473 7a78b5f-7a78b8e 465->473 474 7a78b28-7a78b32 465->474 466->465 467 7a78adb-7a78add 466->467 468 7a78b00-7a78b03 467->468 469 7a78adf-7a78ae9 467->469 468->465 471 7a78aed-7a78afc 469->471 472 7a78aeb 469->472 471->471 475 7a78afe 471->475 472->471 480 7a78bc7-7a78c81 CreateProcessA 473->480 481 7a78b90-7a78b9a 473->481 474->473 476 7a78b34-7a78b36 474->476 475->468 478 7a78b59-7a78b5c 476->478 479 7a78b38-7a78b42 476->479 478->473 482 7a78b46-7a78b55 479->482 483 7a78b44 479->483 494 7a78c83-7a78c89 480->494 495 7a78c8a-7a78d10 480->495 481->480 485 7a78b9c-7a78b9e 481->485 482->482 484 7a78b57 482->484 483->482 484->478 486 7a78bc1-7a78bc4 485->486 487 7a78ba0-7a78baa 485->487 486->480 489 7a78bae-7a78bbd 487->489 490 7a78bac 487->490 489->489 492 7a78bbf 489->492 490->489 492->486 494->495 505 7a78d12-7a78d16 495->505 506 7a78d20-7a78d24 495->506 505->506 507 7a78d18 505->507 508 7a78d26-7a78d2a 506->508 509 7a78d34-7a78d38 506->509 507->506 508->509 510 7a78d2c 508->510 511 7a78d3a-7a78d3e 509->511 512 7a78d48-7a78d4c 509->512 510->509 511->512 513 7a78d40 511->513 514 7a78d5e-7a78d65 512->514 515 7a78d4e-7a78d54 512->515 513->512 516 7a78d67-7a78d76 514->516 517 7a78d7c 514->517 515->514 516->517 519 7a78d7d 517->519 519->519
                      APIs
                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07A78C6E
                      Memory Dump Source
                      • Source File: 00000000.00000002.1718805661.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7a70000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID: CreateProcess
                      • String ID:
                      • API String ID: 963392458-0
                      • Opcode ID: 403bf19e06715f0f9d64499ff2a56e96a69c896e04e74ad4e5a90c3d6fce4f84
                      • Instruction ID: 143fb9a79ee84b7d475a21359f149ab6140c15c37cf7e0361a1c895897cbb22e
                      • Opcode Fuzzy Hash: 403bf19e06715f0f9d64499ff2a56e96a69c896e04e74ad4e5a90c3d6fce4f84
                      • Instruction Fuzzy Hash: 20916CB1D0021ACFDB10CFA9CC857DEBBB2BF88314F148569D819A7240DB789985CF92
                      Function 0190ADA8 Relevance: 1.7, APIs: 1, Instructions: 210COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 520 190ada8-190adb7 521 190ade3-190ade7 520->521 522 190adb9-190adc6 call 190a0cc 520->522 524 190ade9-190adf3 521->524 525 190adfb-190ae3c 521->525 527 190adc8 522->527 528 190addc 522->528 524->525 531 190ae49-190ae57 525->531 532 190ae3e-190ae46 525->532 579 190adce call 190b030 527->579 580 190adce call 190b040 527->580 528->521 533 190ae59-190ae5e 531->533 534 190ae7b-190ae7d 531->534 532->531 536 190ae60-190ae67 call 190a0d8 533->536 537 190ae69 533->537 538 190ae80-190ae87 534->538 535 190add4-190add6 535->528 539 190af18-190af94 535->539 540 190ae6b-190ae79 536->540 537->540 542 190ae94-190ae9b 538->542 543 190ae89-190ae91 538->543 570 190afc0-190afd8 539->570 571 190af96 539->571 540->538 545 190aea8-190aeaa call 190a0e8 542->545 546 190ae9d-190aea5 542->546 543->542 550 190aeaf-190aeb1 545->550 546->545 551 190aeb3-190aebb 550->551 552 190aebe-190aec3 550->552 551->552 553 190aee1-190aeee 552->553 554 190aec5-190aecc 552->554 561 190aef0-190af0e 553->561 562 190af11-190af17 553->562 554->553 556 190aece-190aede call 190a0f8 call 190a108 554->556 556->553 561->562 574 190afe0-190b00b GetModuleHandleW 570->574 575 190afda-190afdd 570->575 572 190af98-190af9c 571->572 573 190af9d-190afbe 571->573 572->573 573->570 576 190b014-190b028 574->576 577 190b00d-190b013 574->577 575->574 577->576 579->535 580->535
                      APIs
                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0190AFFE
                      Memory Dump Source
                      • Source File: 00000000.00000002.1709200230.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1900000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID: HandleModule
                      • String ID:
                      • API String ID: 4139908857-0
                      • Opcode ID: f25b26d4824c948d70a2aa9c3fedfc35546b6cb84870090887ea25185a870dab
                      • Instruction ID: 1dfd5015361a81c614a20244118d81d473909570022c888c64134280b63ca652
                      • Opcode Fuzzy Hash: f25b26d4824c948d70a2aa9c3fedfc35546b6cb84870090887ea25185a870dab
                      • Instruction Fuzzy Hash: 60817970A00B058FD725DF29D44475ABBF5FF88305F008A2ED18AD7A81D775E94ACB90
                      Function 019044B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 689 19044b0-19059d9 CreateActCtxA 692 19059e2-1905a3c 689->692 693 19059db-19059e1 689->693 700 1905a4b-1905a4f 692->700 701 1905a3e-1905a41 692->701 693->692 702 1905a60 700->702 703 1905a51-1905a5d 700->703 701->700 705 1905a61 702->705 703->702 705->705
                      APIs
                      • CreateActCtxA.KERNEL32(?), ref: 019059C9
                      Memory Dump Source
                      • Source File: 00000000.00000002.1709200230.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1900000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID: Create
                      • String ID:
                      • API String ID: 2289755597-0
                      • Opcode ID: 972d1faeaa7434dd245a3c39fb7d6bb55b7bdba7176e355a56e5cef6ffa52ff7
                      • Instruction ID: 7a9d1ad49f2372915f3794382ed42fdeaebc06db3b157576417ec3276efbfa51
                      • Opcode Fuzzy Hash: 972d1faeaa7434dd245a3c39fb7d6bb55b7bdba7176e355a56e5cef6ffa52ff7
                      • Instruction Fuzzy Hash: 4041D0B0C0071DCEDB24DFA9C884B9EBBB5BF49304F60846AE419AB251DB756985CF90
                      Function 0190590C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 706 190590c-1905914 707 190591c-19059d9 CreateActCtxA 706->707 709 19059e2-1905a3c 707->709 710 19059db-19059e1 707->710 717 1905a4b-1905a4f 709->717 718 1905a3e-1905a41 709->718 710->709 719 1905a60 717->719 720 1905a51-1905a5d 717->720 718->717 722 1905a61 719->722 720->719 722->722
                      APIs
                      • CreateActCtxA.KERNEL32(?), ref: 019059C9
                      Memory Dump Source
                      • Source File: 00000000.00000002.1709200230.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1900000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID: Create
                      • String ID:
                      • API String ID: 2289755597-0
                      • Opcode ID: e9112d261a113f94e8687d0bfb179e97a087753be28051b72dd17cc3052e793f
                      • Instruction ID: e55ad85a6efcb712ca06ab24f605216104441543a7b849535b79013a24b41e49
                      • Opcode Fuzzy Hash: e9112d261a113f94e8687d0bfb179e97a087753be28051b72dd17cc3052e793f
                      • Instruction Fuzzy Hash: 6F41E2B0C0071DCEDB24DFA9C884BCDBBB5BF48314F60805AD419AB251DB756985CF90
                      Function 07A787AA Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 723 7a787aa-7a787fe 726 7a78800-7a7880c 723->726 727 7a7880e-7a7884d WriteProcessMemory 723->727 726->727 729 7a78856-7a78886 727->729 730 7a7884f-7a78855 727->730 730->729
                      APIs
                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07A78840
                      Memory Dump Source
                      • Source File: 00000000.00000002.1718805661.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7a70000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID: MemoryProcessWrite
                      • String ID:
                      • API String ID: 3559483778-0
                      • Opcode ID: 1f11d6a8495e59948f3bd6bbabe8060557ad7809a3210ac749db52b4dda0d0e2
                      • Instruction ID: 622d2a5d0a2e523899d2cd6b7eaecf33515d16163f7dfe2d05d23b3c3ccf6be1
                      • Opcode Fuzzy Hash: 1f11d6a8495e59948f3bd6bbabe8060557ad7809a3210ac749db52b4dda0d0e2
                      • Instruction Fuzzy Hash: D2215AB5D003099FCB10DFAAC845BDEBBF5FF88320F10842AE519A7240C7789944CBA4
                      Function 07A787B0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 745 7a787b0-7a787fe 747 7a78800-7a7880c 745->747 748 7a7880e-7a7884d WriteProcessMemory 745->748 747->748 750 7a78856-7a78886 748->750 751 7a7884f-7a78855 748->751 751->750
                      APIs
                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07A78840
                      Memory Dump Source
                      • Source File: 00000000.00000002.1718805661.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7a70000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID: MemoryProcessWrite
                      • String ID:
                      • API String ID: 3559483778-0
                      • Opcode ID: 79f1f60eaf75f914fd2512e32bd92a0501d4c6093e32eab340ad860eaf1c0a1c
                      • Instruction ID: 205b53ca4bf4b8c514612a22829607b610046833c2eb61965bf3dc4c0b674be9
                      • Opcode Fuzzy Hash: 79f1f60eaf75f914fd2512e32bd92a0501d4c6093e32eab340ad860eaf1c0a1c
                      • Instruction Fuzzy Hash: AF2139B1D003599FDB10DFAAC885BDEBBF5FF88310F10842AE959A7240C7789954CBA4
                      Function 07A781D8 Relevance: 1.6, APIs: 1, Instructions: 69threadCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 734 7a781d8-7a7822b 737 7a7822d-7a78239 734->737 738 7a7823b-7a7826b Wow64SetThreadContext 734->738 737->738 740 7a78274-7a782a4 738->740 741 7a7826d-7a78273 738->741 741->740
                      APIs
                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07A7825E
                      Memory Dump Source
                      • Source File: 00000000.00000002.1718805661.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7a70000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID: ContextThreadWow64
                      • String ID:
                      • API String ID: 983334009-0
                      • Opcode ID: d8c4487cab15d05e2d65ef253099389a614134b0284c35951730165da17c5ec6
                      • Instruction ID: 2bc24c84c1834ab103ab69ac1aa2b270b06dff0e1c6f7216a0cf86f14441cdba
                      • Opcode Fuzzy Hash: d8c4487cab15d05e2d65ef253099389a614134b0284c35951730165da17c5ec6
                      • Instruction Fuzzy Hash: 26215CB59003099FDB10DFAAC4457EEBBF4EF88324F108429D429A7641C7789945CFA1
                      Function 07A78898 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 755 7a78898-7a7892d ReadProcessMemory 759 7a78936-7a78966 755->759 760 7a7892f-7a78935 755->760 760->759
                      APIs
                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07A78920
                      Memory Dump Source
                      • Source File: 00000000.00000002.1718805661.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7a70000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID: MemoryProcessRead
                      • String ID:
                      • API String ID: 1726664587-0
                      • Opcode ID: 1412d86a6d0a9ce97ef49eec6782727f2c5a1277effa373f679cff64e0243780
                      • Instruction ID: 34372bd054c29942d24ca6775c3cce5fbb72258eb581de3b070f712869daffe3
                      • Opcode Fuzzy Hash: 1412d86a6d0a9ce97ef49eec6782727f2c5a1277effa373f679cff64e0243780
                      • Instruction Fuzzy Hash: D52148B1C003499FDB10DFAAC845AEEFBF5FF48320F10842AE559A3240C778A945DBA5
                      Function 0190D689 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                      Download Yara Rule
                      APIs
                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0190D717
                      Memory Dump Source
                      • Source File: 00000000.00000002.1709200230.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1900000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID: DuplicateHandle
                      • String ID:
                      • API String ID: 3793708945-0
                      • Opcode ID: 66ad3d7a8f3525a572bfa131213570639d5fdd6a6b0f199850d1fc53e2a09e13
                      • Instruction ID: dca31d948bd6a9fbaad13679ab19388c0bd49fd8a06c033397dc9a942f8eddad
                      • Opcode Fuzzy Hash: 66ad3d7a8f3525a572bfa131213570639d5fdd6a6b0f199850d1fc53e2a09e13
                      • Instruction Fuzzy Hash: 352103B5D003489FDB10CF9AD884AEEFBF8EB48314F14801AE918B3250C378A940CFA1
                      Function 07A781E0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                      Download Yara Rule
                      APIs
                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07A7825E
                      Memory Dump Source
                      • Source File: 00000000.00000002.1718805661.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7a70000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID: ContextThreadWow64
                      • String ID:
                      • API String ID: 983334009-0
                      • Opcode ID: bcab6b4e7ed841db909f050bd3f1049469d8e987bac4f5819c35df296ac4e484
                      • Instruction ID: 26a0532cc1544ec0dfde3b519785c3b7d8f48f996bae667ab2a73410161e6a91
                      • Opcode Fuzzy Hash: bcab6b4e7ed841db909f050bd3f1049469d8e987bac4f5819c35df296ac4e484
                      • Instruction Fuzzy Hash: EF2149B1D003098FDB10DFAAC8857EEBBF4EF88324F108429D569A7240CB789945CFA5
                      Function 07A788A0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                      Download Yara Rule
                      APIs
                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07A78920
                      Memory Dump Source
                      • Source File: 00000000.00000002.1718805661.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7a70000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID: MemoryProcessRead
                      • String ID:
                      • API String ID: 1726664587-0
                      • Opcode ID: 0b8450ba627c4507df209de62a360e939223d49099ee58fc69358e18b064e562
                      • Instruction ID: 73ae682908e863957212285bd0d3f85d8756555f62b644731d871600c557f397
                      • Opcode Fuzzy Hash: 0b8450ba627c4507df209de62a360e939223d49099ee58fc69358e18b064e562
                      • Instruction Fuzzy Hash: 3C2139B1C003599FDB10DFAAC845ADEFBF5FF48310F508429E559A7240C778A944DBA5
                      Function 0190D690 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                      Download Yara Rule
                      APIs
                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0190D717
                      Memory Dump Source
                      • Source File: 00000000.00000002.1709200230.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1900000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID: DuplicateHandle
                      • String ID:
                      • API String ID: 3793708945-0
                      • Opcode ID: 13b2a07173e5bcb4e28373f324d359b3a7c620c0b2fc4ce7412f4de4899bc479
                      • Instruction ID: 4e8121043495573634dbcc907740e7915e3bc1ce2a552866bf224725f8863dde
                      • Opcode Fuzzy Hash: 13b2a07173e5bcb4e28373f324d359b3a7c620c0b2fc4ce7412f4de4899bc479
                      • Instruction Fuzzy Hash: 0B21B3B59002499FDB10CF9AD984ADEBBF9EB48310F14841AE958A3250D374A954CFA5
                      Function 0190A130 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0190B079,00000800,00000000,00000000), ref: 0190B28A
                      Memory Dump Source
                      • Source File: 00000000.00000002.1709200230.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1900000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID: LibraryLoad
                      • String ID:
                      • API String ID: 1029625771-0
                      • Opcode ID: 6455788ec919a460f5389356efae9fab268c723a5c50f96049fcfe632cfa6eed
                      • Instruction ID: 87eb7378a0aa5c14951bd34a7df27617f8ae918cc6a0db74d66ecaadd52e2216
                      • Opcode Fuzzy Hash: 6455788ec919a460f5389356efae9fab268c723a5c50f96049fcfe632cfa6eed
                      • Instruction Fuzzy Hash: C41114B68003499FDB10DF9AC444BDEFBF4EB48310F10842AE51AB7240C375A944CFA5
                      Function 0190B219 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0190B079,00000800,00000000,00000000), ref: 0190B28A
                      Memory Dump Source
                      • Source File: 00000000.00000002.1709200230.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1900000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID: LibraryLoad
                      • String ID:
                      • API String ID: 1029625771-0
                      • Opcode ID: c660a0c0d6fb76ccb978e2d24374a127c92477cd8c402bfeda04eca38a6164f9
                      • Instruction ID: 6ba8e43a149640a077d81ffc7a15950e7d29ad504c66305b2448a904eb8175a2
                      • Opcode Fuzzy Hash: c660a0c0d6fb76ccb978e2d24374a127c92477cd8c402bfeda04eca38a6164f9
                      • Instruction Fuzzy Hash: 841112BAC003498FDB14DFAAC444ADEFBF4EB88320F10842AD569A7240C375A545CFA5
                      Function 07A786EF Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                      Download Yara Rule
                      APIs
                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07A7875E
                      Memory Dump Source
                      • Source File: 00000000.00000002.1718805661.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7a70000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID: AllocVirtual
                      • String ID:
                      • API String ID: 4275171209-0
                      • Opcode ID: 960f7c2c80471194d35bb6c2c39d639d8ba2d9bdfb880f6246c6c12ea07528ea
                      • Instruction ID: 8f2a8573b4b34206d83681c3e1d551d87ad4e7df1828596e8ac8f0315fbe03a5
                      • Opcode Fuzzy Hash: 960f7c2c80471194d35bb6c2c39d639d8ba2d9bdfb880f6246c6c12ea07528ea
                      • Instruction Fuzzy Hash: EB1167B19003499FCB10DFAAC845ADFBFF5EF88320F108419E529A7250CB79A940CFA1
                      Function 07A786F0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                      Download Yara Rule
                      APIs
                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07A7875E
                      Memory Dump Source
                      • Source File: 00000000.00000002.1718805661.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7a70000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID: AllocVirtual
                      • String ID:
                      • API String ID: 4275171209-0
                      • Opcode ID: 5777c718f42ecfe778301ce08eeb7fa49a0d6ebfb590e48fadb8c495c71145cd
                      • Instruction ID: e6ad3924e36cdcfd74cf02e325c8f8790eb573c74ee5ae1b1215550d2f5f3476
                      • Opcode Fuzzy Hash: 5777c718f42ecfe778301ce08eeb7fa49a0d6ebfb590e48fadb8c495c71145cd
                      • Instruction Fuzzy Hash: B51137B19003499FDB10DFAAC845ADFBFF5EF88324F108419E529A7250C779A954CFA1
                      Function 07A7812E Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1718805661.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7a70000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID: ResumeThread
                      • String ID:
                      • API String ID: 947044025-0
                      • Opcode ID: 98e9b393c6848cd5dd3007819bce4568aea5e5b446d1c902c7d77438c6b4146d
                      • Instruction ID: 1b3ce98420bb777c0b22612653168c10c217d9c8b4742fc83b30314ae38eaab1
                      • Opcode Fuzzy Hash: 98e9b393c6848cd5dd3007819bce4568aea5e5b446d1c902c7d77438c6b4146d
                      • Instruction Fuzzy Hash: D51128B19003498FDB10DFAAC8457DFFBF5EB88324F208419D519A7240CB79A944CBA5
                      Function 07A7D2F8 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                      Download Yara Rule
                      APIs
                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 07A7D35D
                      Memory Dump Source
                      • Source File: 00000000.00000002.1718805661.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7a70000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID: MessagePost
                      • String ID:
                      • API String ID: 410705778-0
                      • Opcode ID: 1f8e43da760354991d4caebc0a699583d6ffbb2183f378fe3ccd99704adc34ac
                      • Instruction ID: 75eb7dd455cfa4f4583b47d70db98cd735867418effb4f50658c1b125012975e
                      • Opcode Fuzzy Hash: 1f8e43da760354991d4caebc0a699583d6ffbb2183f378fe3ccd99704adc34ac
                      • Instruction Fuzzy Hash: 281106B58003499FDB10DF9AD949BDEFBF8FB48320F10841AD569A7600C375A584CFA5
                      Function 07A78130 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 00000000.00000002.1718805661.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7a70000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID: ResumeThread
                      • String ID:
                      • API String ID: 947044025-0
                      • Opcode ID: 27b9146f3d57b8c05994834880862a58f2fad6ac3ce97f3a715d53c37991e6d1
                      • Instruction ID: e2c18a7cc3cca794e883bbc2ee4cf2b2b1c7cf99d61e2b6a356f4742e77ba659
                      • Opcode Fuzzy Hash: 27b9146f3d57b8c05994834880862a58f2fad6ac3ce97f3a715d53c37991e6d1
                      • Instruction Fuzzy Hash: 721128B19003498FDB10DFAAC8457DFFBF5EB88324F208419D519A7240CB79A944CB95
                      Function 0190AF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0190AFFE
                      Memory Dump Source
                      • Source File: 00000000.00000002.1709200230.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1900000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID: HandleModule
                      • String ID:
                      • API String ID: 4139908857-0
                      • Opcode ID: fd8223beddd3da8e251579e5d39a00a393fb07a9e8dac57aa0ef175e539eb656
                      • Instruction ID: 7ec44aec8c3475387338349661cfaa0ec60062c82478eda336c26f4d29b6692c
                      • Opcode Fuzzy Hash: fd8223beddd3da8e251579e5d39a00a393fb07a9e8dac57aa0ef175e539eb656
                      • Instruction Fuzzy Hash: 4111DFB5C007498FDB14DF9AC444BDEFBF8AB88324F10841AD529A7250D379A545CFA1
                      Function 07A798CC Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                      Download Yara Rule
                      APIs
                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 07A7D35D
                      Memory Dump Source
                      • Source File: 00000000.00000002.1718805661.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7a70000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID: MessagePost
                      • String ID:
                      • API String ID: 410705778-0
                      • Opcode ID: 6b7c34c3e6abc68b4b5102653de2fea004275b6eefd10bfa750a55e3d004d7f0
                      • Instruction ID: f195a25d5206b8cd070c514faac33a7c2cea089e19a4a261a3be910d1b1a151c
                      • Opcode Fuzzy Hash: 6b7c34c3e6abc68b4b5102653de2fea004275b6eefd10bfa750a55e3d004d7f0
                      • Instruction Fuzzy Hash: 891106B59003499FDB10DF9AC949BDEBBF8EB48320F108419E569B7200C375A944CFA5
                      Function 016FD3D8 Relevance: .1, Instructions: 75COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1708672234.00000000016FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016FD000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_16fd000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 416676ac8a319a54d6dc2e1d801228d95271b8504c70d52ce7115b7675fd7704
                      • Instruction ID: d20d01bbc7de493c827a2a67153e477640f620dfd66269665f0b59607890b1dd
                      • Opcode Fuzzy Hash: 416676ac8a319a54d6dc2e1d801228d95271b8504c70d52ce7115b7675fd7704
                      • Instruction Fuzzy Hash: E62102B1504200DFDB05DF48C9C4B56BB65FB94324F20C56CDA0A0A346C336F416C6A1
                      Function 0170D01C Relevance: .1, Instructions: 72COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1708774751.000000000170D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_170d000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: bec77f0f86b8ff8bb3786f97360b2de37fb1cd3b3f7230f339684faad80bb283
                      • Instruction ID: 27ebf2408f0006fae9d15f1e3368d9aaac2ff1d6059541b0230001f75a64e77f
                      • Opcode Fuzzy Hash: bec77f0f86b8ff8bb3786f97360b2de37fb1cd3b3f7230f339684faad80bb283
                      • Instruction Fuzzy Hash: 7F21D3B5604304DFDB26DF98D9C4B16FBA5EB84354F24C5ADD90E4B286C336D407CA61
                      Function 016FD3D3 Relevance: .1, Instructions: 56COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1708672234.00000000016FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016FD000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_16fd000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                      • Instruction ID: d5cdbcda1021691c860ee24fbe4dbf49b8c46bbd5185a3312d82c2904b2c97ad
                      • Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                      • Instruction Fuzzy Hash: C811DC76504280DFDB02CF44D9C4B56BF72FB84324F24C2ADDA090B656C33AE45ACBA2
                      Function 0170D017 Relevance: .1, Instructions: 53COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1708774751.000000000170D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_170d000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                      • Instruction ID: 4d081ff27febd8386c1cfcc655e7cc5e2bc174533a0d93c08b5e5c104183dfc7
                      • Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                      • Instruction Fuzzy Hash: 8C11BE75504380CFDB12CF54D5C4B15FBA2FB44324F24C6A9D8094B696C33AD40ACB62
                      Function 016FD759 Relevance: .0, Instructions: 45COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1708672234.00000000016FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016FD000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_16fd000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9ad8b96dbe3464cb24e0a4c41c6473173ac7fcd29248f927e8bf9110bdefe265
                      • Instruction ID: 4b78b856f2787d3d5ebfb85b3928ce4259f76e32d351c6e72adabebb3c0392ee
                      • Opcode Fuzzy Hash: 9ad8b96dbe3464cb24e0a4c41c6473173ac7fcd29248f927e8bf9110bdefe265
                      • Instruction Fuzzy Hash: 6001A7710083849AE7105B99DC84B76FFD8DF51325F18C91EEE094E386C779A840C671
                      Function 016FD758 Relevance: .0, Instructions: 36COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1708672234.00000000016FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016FD000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_16fd000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c01c02e50a395e3421f5b23fe625c72f748ace0148977714153a0c748afe5515
                      • Instruction ID: 54b8f5ba42000ace4cebb1b58035759b6396f6736eada0488290a6488bfeefab
                      • Opcode Fuzzy Hash: c01c02e50a395e3421f5b23fe625c72f748ace0148977714153a0c748afe5515
                      • Instruction Fuzzy Hash: 72F062714043849EE7218B5ADD84B62FFE8EF51635F18C45EEE484E396C379A844CAB1

                      Non-executed Functions

                      Function 07A7EB68 Relevance: .4, Instructions: 351COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1718805661.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7a70000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ec16fa9164f2881900a269703bb5e413fd0240e618c4cdf058578c6193774614
                      • Instruction ID: edf7bf583aebe2288463d2eb3a8f6cc57712b2f0b821a85c456977bd3f811090
                      • Opcode Fuzzy Hash: ec16fa9164f2881900a269703bb5e413fd0240e618c4cdf058578c6193774614
                      • Instruction Fuzzy Hash: 97D1ACB1B053019FDB19DB79C85076EB7F6AFC9600F1488ADD15ACB290DB35E901CB52
                      Function 07A782B8 Relevance: .3, Instructions: 312COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1718805661.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7a70000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e77598d55e4336524f8efd598924fcbb9828cf53b99bd39c6dca2772eed2f8d9
                      • Instruction ID: 039774bf1dae405fb9ec8334c62d0848299cc700aa9b2e8f54d8b3f4cc3a169e
                      • Opcode Fuzzy Hash: e77598d55e4336524f8efd598924fcbb9828cf53b99bd39c6dca2772eed2f8d9
                      • Instruction Fuzzy Hash: B9E1E7B4E011198FCB14DFA9C9849AEFBB2FF89304F248169D414AB356D734AD41CFA1
                      Function 07A76260 Relevance: .3, Instructions: 312COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1718805661.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7a70000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6337fd940ad0a567fa81db8db76b4881fcbc1b83b44bb4c4730113f0c74c7ef9
                      • Instruction ID: d77b412a5bd6413b4f2ded67d8159e22365b7113594aa1db876d95dc4a35a947
                      • Opcode Fuzzy Hash: 6337fd940ad0a567fa81db8db76b4881fcbc1b83b44bb4c4730113f0c74c7ef9
                      • Instruction Fuzzy Hash: 5DE1E9B4E016198FCB14DFA9C994AAEFBB2FF89304F248169D414AB355D730AD41CFA1
                      Function 07A75E28 Relevance: .3, Instructions: 312COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1718805661.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7a70000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0de105d8737f567c7054d32f6b8f3fcfe38d3c7982e91958f4bbe8069daf56a9
                      • Instruction ID: faf07c960976a126c2ef55e1b7c6e271adca6590120d23f6cdd491616687a891
                      • Opcode Fuzzy Hash: 0de105d8737f567c7054d32f6b8f3fcfe38d3c7982e91958f4bbe8069daf56a9
                      • Instruction Fuzzy Hash: 4BE1FBB4E015198FCB14DFA9C984AAEFBB2FF89304F248169D414AB355D731AD41CFA1
                      Function 07A759F0 Relevance: .3, Instructions: 312COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1718805661.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7a70000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f5568d2e94d673c765cb7b01eef5bb7da9124ff10cc030a9457caace7e3f1f6b
                      • Instruction ID: 4ae0f1d008972a20a34e44614e7a19ed697b2bfeaf32a7abea0fa145d1afd298
                      • Opcode Fuzzy Hash: f5568d2e94d673c765cb7b01eef5bb7da9124ff10cc030a9457caace7e3f1f6b
                      • Instruction Fuzzy Hash: 7EE1E9B4E011198FCB14DFA9C9849AEFBB2FF89304F248169D415AB355D731AD81CFA0
                      Function 07A77908 Relevance: .3, Instructions: 312COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1718805661.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7a70000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9b405fe0eba4dd9fbdfb0f50cd2e91d3e895856fdcf91e0ba668a0207ad7caf0
                      • Instruction ID: df7ecae73ca3c508fd62288652be0027ee4868c6ea09f9e11b1af72d8def25e3
                      • Opcode Fuzzy Hash: 9b405fe0eba4dd9fbdfb0f50cd2e91d3e895856fdcf91e0ba668a0207ad7caf0
                      • Instruction Fuzzy Hash: ABE1FAB4E011198FDB14DFA9C9849AEFBB2FF89304F248169D414AB356D731AD81CFA0
                      Function 0190D5BC Relevance: .3, Instructions: 264COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1709200230.0000000001900000.00000040.00000800.00020000.00000000.sdmp, Offset: 01900000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1900000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: af3def59d9a3a57fe7905ad4b760a0d0d9d624b448f457e355ce182fefc44162
                      • Instruction ID: 2129cabf082cac9b6e224e32df046910c1bc46d00507581c05acd97b528a18f5
                      • Opcode Fuzzy Hash: af3def59d9a3a57fe7905ad4b760a0d0d9d624b448f457e355ce182fefc44162
                      • Instruction Fuzzy Hash: 95A18336E00209CFCF26DFB4C84459EB7B6FFC5301B15456AE90AAB2A5DB31EA55CB40
                      Function 07A778F8 Relevance: .2, Instructions: 162COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1718805661.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7a70000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 23eb6a1a8e3951e8be7559cda6847cec0b2f3566e365891542997d9873d7a50d
                      • Instruction ID: 5d3c464983bc89aa1354ba16ccccbaf4ff2103d06a93ac948c1c0d4534627ed0
                      • Opcode Fuzzy Hash: 23eb6a1a8e3951e8be7559cda6847cec0b2f3566e365891542997d9873d7a50d
                      • Instruction Fuzzy Hash: 8D512CB4E012198FDB14CFA9D9845AEFBB6FF89304F24816AD418AB316D7319D41CFA1
                      Function 07A782A8 Relevance: .1, Instructions: 138COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1718805661.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7a70000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 227ecf4e48f4aa2fed50faa7ee2e8c420827b7ffb9a8997a82cc8d631fa10119
                      • Instruction ID: c6889a0c0e79ce45f08e612c0b1871b2e78e1239b86a50202314033231e28380
                      • Opcode Fuzzy Hash: 227ecf4e48f4aa2fed50faa7ee2e8c420827b7ffb9a8997a82cc8d631fa10119
                      • Instruction Fuzzy Hash: 8C5108B4E012198FDB14CFA9D9845AEFBF2FF89300F24816AD418AB316D7359941CFA1
                      Function 07A76253 Relevance: .1, Instructions: 133COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.1718805661.0000000007A70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7a70000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: dfa17cf431210991ff722eed35bbe617f01f008ce1c78c92811540d0173f3361
                      • Instruction ID: fc800b2293c07372113473ca21cafb1456ba983702e3ecd29edef94375c733f6
                      • Opcode Fuzzy Hash: dfa17cf431210991ff722eed35bbe617f01f008ce1c78c92811540d0173f3361
                      • Instruction Fuzzy Hash: 2B51E8B4E016198FDB14DFA9C9845AEFBB2FF89304F24816AD418AB315D7349942CFA1

                      Execution Graph

                      Execution Coverage:11.7%
                      Dynamic/Decrypted Code Coverage:100%
                      Signature Coverage:0%
                      Total number of Nodes:124
                      Total number of Limit Nodes:10
                      execution_graph 39790 59f683f 39791 59f67ea DuplicateHandle 39790->39791 39792 59f6816 39790->39792 39791->39792 39793 59fee98 39794 59feeda 39793->39794 39795 59feee0 LoadLibraryExW 39793->39795 39794->39795 39796 59fef11 39795->39796 39884 1120848 39885 112084e 39884->39885 39886 112091b 39885->39886 39888 1121370 39885->39888 39890 1121386 39888->39890 39889 1121474 39889->39885 39890->39889 39894 1127080 39890->39894 39902 1126f68 39890->39902 39906 1126ec7 39890->39906 39895 112708a 39894->39895 39897 11270a4 39895->39897 39910 624d668 39895->39910 39919 624d428 39895->39919 39923 624d419 39895->39923 39896 11270ea 39896->39890 39897->39896 39927 624ef0f 39897->39927 39904 1126f7e 39902->39904 39903 11270ea 39903->39890 39904->39903 39905 624ef0f GlobalMemoryStatusEx 39904->39905 39905->39903 39907 1126ef0 39906->39907 39908 1126f34 39907->39908 39909 624ef0f GlobalMemoryStatusEx 39907->39909 39908->39890 39909->39908 39913 624d676 39910->39913 39914 624d43d 39910->39914 39911 624d652 39911->39897 39912 624d69e 39912->39897 39913->39912 39931 624e200 39913->39931 39934 624e1f0 39913->39934 39914->39911 39916 624d668 GlobalMemoryStatusEx 39914->39916 39915 624d7ab 39915->39897 39916->39914 39920 624d43d 39919->39920 39921 624d652 39920->39921 39922 624d668 GlobalMemoryStatusEx 39920->39922 39921->39897 39922->39920 39925 624d43d 39923->39925 39924 624d652 39924->39897 39925->39924 39926 624d668 GlobalMemoryStatusEx 39925->39926 39926->39925 39928 624ef1a 39927->39928 39929 624d428 GlobalMemoryStatusEx 39928->39929 39930 624ef21 39929->39930 39930->39896 39937 624e228 39931->39937 39932 624e20e 39932->39915 39935 624e20e 39934->39935 39936 624e228 GlobalMemoryStatusEx 39934->39936 39935->39915 39936->39935 39938 624e245 39937->39938 39939 624e26d 39937->39939 39938->39932 39940 624e28e 39939->39940 39941 624e356 GlobalMemoryStatusEx 39939->39941 39940->39932 39942 624e386 39941->39942 39942->39932 39797 59f6d93 39799 59f6d98 39797->39799 39801 59f630c 39799->39801 39800 59f6de6 39800->39800 39802 59f6317 39801->39802 39803 59f750c 39802->39803 39806 59f9188 39802->39806 39811 59f9178 39802->39811 39803->39800 39807 59f91a9 39806->39807 39808 59f91cd 39807->39808 39816 59f9338 39807->39816 39820 59f9327 39807->39820 39808->39803 39813 59f9188 39811->39813 39812 59f91cd 39812->39803 39813->39812 39814 59f9338 3 API calls 39813->39814 39815 59f9327 3 API calls 39813->39815 39814->39812 39815->39812 39817 59f9345 39816->39817 39818 59f937e 39817->39818 39824 59f72cc 39817->39824 39818->39808 39821 59f9339 39820->39821 39822 59f937e 39821->39822 39823 59f72cc 3 API calls 39821->39823 39822->39808 39823->39822 39825 59f72d7 39824->39825 39827 59f93f0 39825->39827 39828 59f72dc 39825->39828 39827->39827 39829 59f72e7 39828->39829 39835 59f850c 39829->39835 39831 59f9499 39831->39827 39832 59f945f 39839 59fe760 39832->39839 39844 59fe778 39832->39844 39838 59f8517 39835->39838 39836 59fa6e8 39836->39832 39837 59f9188 3 API calls 39837->39836 39838->39836 39838->39837 39840 59fe778 39839->39840 39841 59fe7b5 39840->39841 39850 59fe9f0 39840->39850 39854 59fe9e0 39840->39854 39841->39831 39846 59fe7a9 39844->39846 39847 59fe7f5 39844->39847 39845 59fe7b5 39845->39831 39846->39845 39848 59fe9f0 3 API calls 39846->39848 39849 59fe9e0 3 API calls 39846->39849 39847->39831 39848->39847 39849->39847 39859 59fea30 39850->39859 39868 59fea40 39850->39868 39851 59fe9fa 39851->39841 39855 59fe9f0 39854->39855 39857 59fea30 2 API calls 39855->39857 39858 59fea40 2 API calls 39855->39858 39856 59fe9fa 39856->39841 39857->39856 39858->39856 39860 59fea40 39859->39860 39863 59fea74 39860->39863 39877 59fdf24 39860->39877 39863->39851 39864 59fec78 GetModuleHandleW 39866 59feca5 39864->39866 39865 59fea6c 39865->39863 39865->39864 39866->39851 39869 59fea51 39868->39869 39872 59fea74 39868->39872 39870 59fdf24 GetModuleHandleW 39869->39870 39871 59fea5c 39870->39871 39871->39872 39876 59fecc8 GetModuleHandleW 39871->39876 39872->39851 39873 59fec78 GetModuleHandleW 39875 59feca5 39873->39875 39874 59fea6c 39874->39872 39874->39873 39875->39851 39876->39874 39878 59fec30 GetModuleHandleW 39877->39878 39880 59fea5c 39878->39880 39880->39863 39881 59fecc8 39880->39881 39882 59fdf24 GetModuleHandleW 39881->39882 39883 59fecec 39882->39883 39883->39865

                      Executed Functions

                      Function 01129B40 Relevance: 2.8, Instructions: 2810COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2920932751.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_1120000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2242a9faf4201c2fa36eef046d91647660209391ca9e8087fbc98f55f231b2fa
                      • Instruction ID: ffbdd38ec48192a09acde8202e1f0a4bf6b6782e5845c4e46f1f408c2241f111
                      • Opcode Fuzzy Hash: 2242a9faf4201c2fa36eef046d91647660209391ca9e8087fbc98f55f231b2fa
                      • Instruction Fuzzy Hash: 4553F731D10B1A8ACB55EF68C880699F7B1FF99300F15D79AE45877221FB70AAD4CB81
                      Function 0112CDC0 Relevance: 2.3, Instructions: 2299COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2920932751.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_1120000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2a1b95c7267355ced439b4640431425d38aba061646c62763dd05ea656775a7d
                      • Instruction ID: cc0ee02a49445aba8588849e97b013aa5914cfde80df7399215e92ceb24f39b0
                      • Opcode Fuzzy Hash: 2a1b95c7267355ced439b4640431425d38aba061646c62763dd05ea656775a7d
                      • Instruction Fuzzy Hash: 9A334E31D1071A8EDB15EF68C8906ADF7B1FF99300F54C79AE448A7211EB70AAD5CB81
                      Function 01124A88 Relevance: .3, Instructions: 266COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2920932751.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_1120000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 369c68e2af0183b15758d97830617216e97ebe12e13a65b1d47ab5802192a535
                      • Instruction ID: b19e5b665ad3d8ad562749f000d3c0cb678f66deec1e5cf4fbb14c891947739c
                      • Opcode Fuzzy Hash: 369c68e2af0183b15758d97830617216e97ebe12e13a65b1d47ab5802192a535
                      • Instruction Fuzzy Hash: 28B15F70E00229CFDF18CFADD89579DBBF2AF88314F148129D815E7694EB749865CB81
                      Function 01123E70 Relevance: .2, Instructions: 238COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2920932751.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_1120000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4bb96965bc021ad2a4a0489feb15fc3e86998cf1025579a73c302c3975c2bc96
                      • Instruction ID: 52a769ad9e69c5ea63b163ddac80af04fae317e03c89a7cb79d678417f0c6207
                      • Opcode Fuzzy Hash: 4bb96965bc021ad2a4a0489feb15fc3e86998cf1025579a73c302c3975c2bc96
                      • Instruction Fuzzy Hash: 1F919170E00219CFDF18CFA8D9817DDBBF2BF88314F148129E415A7654EB389895CB82
                      Function 0112FCD8 Relevance: 2.7, Strings: 2, Instructions: 211COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1824 112fcd8-112fcf7 1825 112feb2-112fed6 1824->1825 1826 112fcfd-112fd06 1824->1826 1830 112fedd-112ff76 1825->1830 1829 112fd0c-112fd61 1826->1829 1826->1830 1839 112fd63-112fd88 1829->1839 1840 112fd8b-112fd94 1829->1840 1871 112ff7d-112ff82 1830->1871 1839->1840 1842 112fd96 1840->1842 1843 112fd99-112fda9 1840->1843 1842->1843 1878 112fdab call 112ff88 1843->1878 1879 112fdab call 112fcd8 1843->1879 1880 112fdab call 112fcc8 1843->1880 1881 112fdab call 112feb8 1843->1881 1846 112fdb1-112fdb3 1848 112fdb5-112fdba 1846->1848 1849 112fe0d-112fe5a 1846->1849 1851 112fdf3-112fe06 1848->1851 1852 112fdbc-112fdf1 1848->1852 1861 112fe61-112fe66 1849->1861 1851->1849 1852->1861 1864 112fe70-112fe75 1861->1864 1865 112fe68 1861->1865 1867 112fe77 1864->1867 1868 112fe7f-112fe84 1864->1868 1865->1864 1867->1868 1869 112fe86-112fe91 1868->1869 1870 112fe99 1868->1870 1869->1870 1870->1825 1878->1846 1879->1846 1880->1846 1881->1846
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.2920932751.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_1120000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID: (&^q$(bq
                      • API String ID: 0-1294341849
                      • Opcode ID: b27acebdd948b3c152ced3f8840db3234b92d03e3d72cbc3a549df8aff07939d
                      • Instruction ID: 598befdf6fa9a6daaf08cfb53e6fe692dbbae9347cf56254ebebd00ca39aba68
                      • Opcode Fuzzy Hash: b27acebdd948b3c152ced3f8840db3234b92d03e3d72cbc3a549df8aff07939d
                      • Instruction Fuzzy Hash: A471A631F002295BDB19DFB9D8506EEBBB6AFC4700F548529E506AB380DF34AD06CB91
                      Function 01126EC7 Relevance: 2.6, Strings: 2, Instructions: 141COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1949 1126ec7-1126f32 call 1126c30 1958 1126f34-1126f4d call 1126754 1949->1958 1959 1126f4e-1126f7c 1949->1959 1963 1126f7e-1126f81 1959->1963 1964 1126f83 call 1127910 1963->1964 1965 1126f91-1126f94 1963->1965 1971 1126f89-1126f8c 1964->1971 1967 1126f96-1126faa 1965->1967 1968 1126fc7-1126fca 1965->1968 1981 1126fb0 1967->1981 1982 1126fac-1126fae 1967->1982 1969 1126fde-1126fe1 1968->1969 1970 1126fcc-1126fd3 1968->1970 1974 1126fe3-1127018 1969->1974 1975 112701d-112701f 1969->1975 1972 11270db-11270e2 1970->1972 1973 1126fd9 1970->1973 1971->1965 1977 11270f1-11270f7 1972->1977 1978 11270e4 1972->1978 1973->1969 1974->1975 1979 1127021 1975->1979 1980 1127026-1127029 1975->1980 1994 11270e4 call 624ed60 1978->1994 1995 11270e4 call 624ed70 1978->1995 1996 11270e4 call 624ef0f 1978->1996 1979->1980 1980->1963 1984 112702f-112703e 1980->1984 1983 1126fb3-1126fc2 1981->1983 1982->1983 1983->1968 1988 1127040-1127043 1984->1988 1989 1127068-112707d 1984->1989 1985 11270ea 1985->1977 1991 112704b-1127066 1988->1991 1989->1972 1991->1988 1991->1989 1994->1985 1995->1985 1996->1985
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.2920932751.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_1120000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID: LR^q$LR^q
                      • API String ID: 0-4089051495
                      • Opcode ID: e058f39f087e703844e983a10831d056e2e60b144def4a4bf5f638b153aed259
                      • Instruction ID: a2eaac6523eb80215964cacfb506dbb0e59953966195568ac2770dd411518e48
                      • Opcode Fuzzy Hash: e058f39f087e703844e983a10831d056e2e60b144def4a4bf5f638b153aed259
                      • Instruction Fuzzy Hash: FA51C130E102599FDF19DF78C464BAEB7B2EF86300F204469E805EB291EB759C56CB52
                      Function 059FEA40 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 2617 59fea40-59fea4f 2618 59fea7b-59fea7f 2617->2618 2619 59fea51-59fea5e call 59fdf24 2617->2619 2621 59fea93-59fead4 2618->2621 2622 59fea81-59fea8b 2618->2622 2624 59fea74 2619->2624 2625 59fea60-59fea6e call 59fecc8 2619->2625 2628 59fead6-59feade 2621->2628 2629 59feae1-59feaef 2621->2629 2622->2621 2624->2618 2625->2624 2635 59febb0-59fec70 2625->2635 2628->2629 2630 59feb13-59feb15 2629->2630 2631 59feaf1-59feaf6 2629->2631 2636 59feb18-59feb1f 2630->2636 2633 59feaf8-59feaff call 59fdf30 2631->2633 2634 59feb01 2631->2634 2638 59feb03-59feb11 2633->2638 2634->2638 2668 59fec78-59feca3 GetModuleHandleW 2635->2668 2669 59fec72-59fec75 2635->2669 2639 59feb2c-59feb33 2636->2639 2640 59feb21-59feb29 2636->2640 2638->2636 2642 59feb35-59feb3d 2639->2642 2643 59feb40-59feb49 call 59f7080 2639->2643 2640->2639 2642->2643 2648 59feb4b-59feb53 2643->2648 2649 59feb56-59feb5b 2643->2649 2648->2649 2650 59feb5d-59feb64 2649->2650 2651 59feb79-59feb7d 2649->2651 2650->2651 2653 59feb66-59feb76 call 59fc930 call 59fdf40 2650->2653 2673 59feb80 call 59fef89 2651->2673 2674 59feb80 call 59fef98 2651->2674 2653->2651 2656 59feb83-59feb86 2658 59feba9-59febaf 2656->2658 2659 59feb88-59feba6 2656->2659 2659->2658 2670 59fecac-59fecc0 2668->2670 2671 59feca5-59fecab 2668->2671 2669->2668 2671->2670 2673->2656 2674->2656
                      Memory Dump Source
                      • Source File: 00000009.00000002.2933943774.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_59f0000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID: HandleModule
                      • String ID:
                      • API String ID: 4139908857-0
                      • Opcode ID: d59dd7e829da25102d60b0ece217da5e53786ce6907d28732ecfdf4fe3f61e83
                      • Instruction ID: a233f18e133b927a23ef362ab4f8e416b908e9da123c1a4ed80e1c2bc13e93b7
                      • Opcode Fuzzy Hash: d59dd7e829da25102d60b0ece217da5e53786ce6907d28732ecfdf4fe3f61e83
                      • Instruction Fuzzy Hash: FA716770A00B058FD764DF2AD444B5ABBFAFF88300F10892DD58AD7A60DB35E849CB90
                      Function 0624E228 Relevance: 1.6, APIs: 1, Instructions: 136COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 2676 624e228-624e243 2677 624e245-624e26c call 624d3e8 2676->2677 2678 624e26d-624e28c call 624d3f4 2676->2678 2684 624e292-624e2f1 2678->2684 2685 624e28e-624e291 2678->2685 2691 624e2f7-624e384 GlobalMemoryStatusEx 2684->2691 2692 624e2f3-624e2f6 2684->2692 2695 624e386-624e38c 2691->2695 2696 624e38d-624e3b5 2691->2696 2695->2696
                      Memory Dump Source
                      • Source File: 00000009.00000002.2934139989.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_6240000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 19a4e2b988b58792c214350d24ffe48cc98cea8023ebfb7b5228a25b55d470df
                      • Instruction ID: d8b6322f51708902c67498463105cba197698bea5908ee6097e97ed51bf36242
                      • Opcode Fuzzy Hash: 19a4e2b988b58792c214350d24ffe48cc98cea8023ebfb7b5228a25b55d470df
                      • Instruction Fuzzy Hash: DB415632D143968FC708DF79D8406EEBFF1AF89210F1586AAD448A7391DB349885CBE1
                      Function 059F683F Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 2699 59f683f-59f6841 2700 59f67ea-59f6814 DuplicateHandle 2699->2700 2701 59f6843-59f684c 2699->2701 2702 59f681d-59f6830 2700->2702 2703 59f6816-59f681c 2700->2703 2704 59f684e-59f696e 2701->2704 2705 59f6833-59f683a 2701->2705 2702->2705 2703->2702
                      APIs
                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 059F6807
                      Memory Dump Source
                      • Source File: 00000009.00000002.2933943774.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_59f0000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID: DuplicateHandle
                      • String ID:
                      • API String ID: 3793708945-0
                      • Opcode ID: 434888ffa6c4e9ea08cc74c2e4dc627f2fd263e448da49ae43dc45215674b3f8
                      • Instruction ID: 5136806af4f5a0e804cd8f61a428d42c8d6645ed6f41add8f742718c40df28a1
                      • Opcode Fuzzy Hash: 434888ffa6c4e9ea08cc74c2e4dc627f2fd263e448da49ae43dc45215674b3f8
                      • Instruction Fuzzy Hash: 324175B4A90344AFF7009F60E844BA97BFAF789700F10852AEB01973C5EB745846CF51
                      Function 059F677B Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 2720 59f677b-59f677e 2721 59f6780-59f6814 DuplicateHandle 2720->2721 2722 59f681d-59f683a 2721->2722 2723 59f6816-59f681c 2721->2723 2723->2722
                      APIs
                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 059F6807
                      Memory Dump Source
                      • Source File: 00000009.00000002.2933943774.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_59f0000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID: DuplicateHandle
                      • String ID:
                      • API String ID: 3793708945-0
                      • Opcode ID: 42813ba330210a104754304b0e79c2b214bf81ca366a16e2c9f206efc386ce46
                      • Instruction ID: 7996e450978a4ad990b8a7217c99275e0d32dd9f95a8831ecda248ac8931b6b5
                      • Opcode Fuzzy Hash: 42813ba330210a104754304b0e79c2b214bf81ca366a16e2c9f206efc386ce46
                      • Instruction Fuzzy Hash: 1221E5B5900349AFDB10CFAAD984ADEBFF8EB48310F14841AE955A3251D378A954CFA1
                      Function 059F6780 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                      Download Yara Rule
                      APIs
                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 059F6807
                      Memory Dump Source
                      • Source File: 00000009.00000002.2933943774.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_59f0000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID: DuplicateHandle
                      • String ID:
                      • API String ID: 3793708945-0
                      • Opcode ID: 0f26c4022e0416f75204021deb586c8f34215a7cbc888a2d8df7a6255158d274
                      • Instruction ID: c6a8d0dca119839d1a218502d6a5d089d3281ef7d7c3bb05ab47a012a5faa11f
                      • Opcode Fuzzy Hash: 0f26c4022e0416f75204021deb586c8f34215a7cbc888a2d8df7a6255158d274
                      • Instruction Fuzzy Hash: FC21E4B59003489FDB10CFAAD984ADEBBF8FB48310F14841AE918A3351D378A944CFA0
                      Function 059FEE91 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 059FEF02
                      Memory Dump Source
                      • Source File: 00000009.00000002.2933943774.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_59f0000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID: LibraryLoad
                      • String ID:
                      • API String ID: 1029625771-0
                      • Opcode ID: be696be7979c3a9dace08b98775a8598f42b9b22d7e1c3820e671b2cf5e5826b
                      • Instruction ID: 7bea43681fc18362a9383ae2c225db4b8e87cc8d805079afa329c5e2d305b1f3
                      • Opcode Fuzzy Hash: be696be7979c3a9dace08b98775a8598f42b9b22d7e1c3820e671b2cf5e5826b
                      • Instruction Fuzzy Hash: E11126B6C003499FDB20CF9AD448ADEFBF9EB48310F10842EE519A7210C775A544CFA1
                      Function 0624E310 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                      Download Yara Rule
                      APIs
                      • GlobalMemoryStatusEx.KERNELBASE(8B550542), ref: 0624E377
                      Memory Dump Source
                      • Source File: 00000009.00000002.2934139989.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_6240000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID: GlobalMemoryStatus
                      • String ID:
                      • API String ID: 1890195054-0
                      • Opcode ID: d166924206b3477c3e94b174e77661449bebb2e6a2d7dcec5ce660b21c304313
                      • Instruction ID: 61033dedde7a8c0e906b633062fdc6194f4d02d3d41075f64701b4ee9dd9ebf7
                      • Opcode Fuzzy Hash: d166924206b3477c3e94b174e77661449bebb2e6a2d7dcec5ce660b21c304313
                      • Instruction Fuzzy Hash: E91112B1C0065A9BCB10DF9AC445BDEFBF4BB48324F11816AD818A7250D778A944CFA1
                      Function 059FEE98 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 059FEF02
                      Memory Dump Source
                      • Source File: 00000009.00000002.2933943774.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_59f0000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID: LibraryLoad
                      • String ID:
                      • API String ID: 1029625771-0
                      • Opcode ID: 082bafe0c1ed50b6de9793fa889fa1a72a75a3b6a0f05f1e86ea86b35398b565
                      • Instruction ID: 844ed27d08fa5a2594fe805a75750a39a0b16addcdc56b1f7aaf45789999817e
                      • Opcode Fuzzy Hash: 082bafe0c1ed50b6de9793fa889fa1a72a75a3b6a0f05f1e86ea86b35398b565
                      • Instruction Fuzzy Hash: C911F3B68003499FDB10CF9AD448ADEFBF9EB88310F10842AE519A7250C775A945CFA5
                      Function 059FDF24 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,059FEA5C), ref: 059FEC96
                      Memory Dump Source
                      • Source File: 00000009.00000002.2933943774.00000000059F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059F0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_59f0000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID: HandleModule
                      • String ID:
                      • API String ID: 4139908857-0
                      • Opcode ID: dcd2aae63f5c19a12f20613794c9031934031bf3daf6c5493c438f3d756af39b
                      • Instruction ID: 59e63358540c7b8e877286a788ba7d1fd8928fbc78fda2b25a9ddf236f8a3127
                      • Opcode Fuzzy Hash: dcd2aae63f5c19a12f20613794c9031934031bf3daf6c5493c438f3d756af39b
                      • Instruction Fuzzy Hash: DE1132B2C003498FCB10DF9AC448A9EFBF8EB88224F10841AE529B7220C374A545CFA1
                      Function 0112F31D Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.2920932751.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_1120000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID: PH^q
                      • API String ID: 0-2549759414
                      • Opcode ID: 93babe0225b0425cf576bacfbd0dfc304266929c637293e866dbe0e8463ca766
                      • Instruction ID: 7e0c90327c480257b542017ece89bbf834d29d4a9fe1538e49f341e5118004a5
                      • Opcode Fuzzy Hash: 93babe0225b0425cf576bacfbd0dfc304266929c637293e866dbe0e8463ca766
                      • Instruction Fuzzy Hash: E831F231B042129FDB1A9B78C5542AE3BF2EF89200F244529E44ADB385DF75DC47CBA1
                      Function 01126F68 Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.2920932751.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_1120000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID: LR^q
                      • API String ID: 0-2625958711
                      • Opcode ID: a2c1665be02a8082720120f8af1a9506d48283b854b19c4b59d0898db5ff0f2a
                      • Instruction ID: c4e63be166fa3af55788ffce2945022a5c35d3b28023883b67a9d7f50acab95d
                      • Opcode Fuzzy Hash: a2c1665be02a8082720120f8af1a9506d48283b854b19c4b59d0898db5ff0f2a
                      • Instruction Fuzzy Hash: 2D318434E002299FDF19CFA9D45479EB7B1FF45300F504425E905EB280EB759C96CB56
                      Function 01126B91 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000009.00000002.2920932751.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_1120000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID: LR^q
                      • API String ID: 0-2625958711
                      • Opcode ID: 36a5208483a7dd6f2d593c27757b8822927967e6fbe71372c841e97702e4d617
                      • Instruction ID: afe9cd3eb0015240f65ab1cd5fd4d2434c2657ffc1ced3b9f99f98479629e5e3
                      • Opcode Fuzzy Hash: 36a5208483a7dd6f2d593c27757b8822927967e6fbe71372c841e97702e4d617
                      • Instruction Fuzzy Hash: 8921F6707082515FC719BB78D0A47DE7BB5EF86600F1044ADD045CF285EE359C5AC792
                      Function 01127910 Relevance: .6, Instructions: 556COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2920932751.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_1120000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8d68fc1bd8da5d3d141f2d4a586dcfe06bbfeb0d0ccbc7c4b619aeb8bbccd59b
                      • Instruction ID: 78464f5110ecf0dff91701c8d0c3435ab7e3887820cf892bb88f197368f2b07c
                      • Opcode Fuzzy Hash: 8d68fc1bd8da5d3d141f2d4a586dcfe06bbfeb0d0ccbc7c4b619aeb8bbccd59b
                      • Instruction Fuzzy Hash: FA1241307002229FCB1AAB38E49465D33A2FF95351FA05E39E005CB755DF35EC969B91
                      Function 011296E8 Relevance: .4, Instructions: 357COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2920932751.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_1120000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e41792c72fe30a2ea1a5a30f24946ac3be3f377fe78b88860e31e60f2c4fecde
                      • Instruction ID: 368829d0797f0db167abd93d4a63d9383c189d20c1ffab9dddfc95a6166f986e
                      • Opcode Fuzzy Hash: e41792c72fe30a2ea1a5a30f24946ac3be3f377fe78b88860e31e60f2c4fecde
                      • Instruction Fuzzy Hash: B1C1BE71B002298FDB18CF6DD8807AEBBB6FB88314F24856AE509DB385D770D845CB91
                      Function 011219A0 Relevance: .3, Instructions: 312COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2920932751.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_1120000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 44fc33637e742cfa9ddaa8e0b47a1d780a726e760df6cfe9a61d189617bb3260
                      • Instruction ID: 84dbec3c81d00a6cfae1c7e24a1e895800431b97de171439238eb0da94bdc16f
                      • Opcode Fuzzy Hash: 44fc33637e742cfa9ddaa8e0b47a1d780a726e760df6cfe9a61d189617bb3260
                      • Instruction Fuzzy Hash: 4DA1E98181E3E12EDB17AB3818B52D63FB49F63665B4A05C7C4C48F0A3EA09495DC3B7
                      Function 0112936C Relevance: .3, Instructions: 303COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2920932751.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_1120000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2114f799ab5552e321fefcd34703aeb43dd292f734289bcd6e1659168f86f193
                      • Instruction ID: 18855a7067e66de91d40995fdb40c5aa254caebf528b056bfc0078fbd44361e6
                      • Opcode Fuzzy Hash: 2114f799ab5552e321fefcd34703aeb43dd292f734289bcd6e1659168f86f193
                      • Instruction Fuzzy Hash: C0B17D35A002299FDB19DF68D594AADBBF2FF88314F244469E906EB395DB30DD42CB40
                      Function 01124A7C Relevance: .3, Instructions: 263COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2920932751.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_1120000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6d024ed65621016f59c004dc21c2e1f1d5cb1307e4fca7b2996ffa7ffb574cd4
                      • Instruction ID: e7aab3e2d28740d175c44763abfebbc5a9144d03cc0eb92c18c69588cf4a8ffa
                      • Opcode Fuzzy Hash: 6d024ed65621016f59c004dc21c2e1f1d5cb1307e4fca7b2996ffa7ffb574cd4
                      • Instruction Fuzzy Hash: 0AB16C70E00229CFDF18CFADD99179DBBF2AF88314F148129D818E7694EB749865CB81
                      Function 01123E64 Relevance: .2, Instructions: 234COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2920932751.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_1120000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 705ab73368f4f9015fe81fab06fe75df43efac9a3b5c429329338b37e8ecf529
                      • Instruction ID: 61f8279e96fa013aaf1db4a720c3c65a60071b8149b143aafcd2682792571668
                      • Opcode Fuzzy Hash: 705ab73368f4f9015fe81fab06fe75df43efac9a3b5c429329338b37e8ecf529
                      • Instruction Fuzzy Hash: 88918F70E00219CFDF18CFA8D981BDDBBF2BF48314F248129E415A7654EB389895CB92
                      Function 01126CD8 Relevance: .1, Instructions: 132COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2920932751.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_1120000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7fc661c7a8984ce1da896d36aa948942359951b9e4a058da745f2b9229bf56cd
                      • Instruction ID: f05a5d628a2eace6cc02ed32257dc7c0351e8d6c9870219c39a9f72a054a85d1
                      • Opcode Fuzzy Hash: 7fc661c7a8984ce1da896d36aa948942359951b9e4a058da745f2b9229bf56cd
                      • Instruction Fuzzy Hash: B151F470D002288FDB18CFA9C895B9DBBF1BF48714F158119E859BB391DB74A844CF95
                      Function 01126CCD Relevance: .1, Instructions: 132COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2920932751.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_1120000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ce2d0eecb4f886695545b93fe3a65102288c9ac338a579c42407b057da080794
                      • Instruction ID: 18fe74768ce37e76e863d9f6a4af30c01a08ac92b3edff090d2f068fb74d5550
                      • Opcode Fuzzy Hash: ce2d0eecb4f886695545b93fe3a65102288c9ac338a579c42407b057da080794
                      • Instruction Fuzzy Hash: E05104B0D002288FDB18CFA9C894BEDBBF1BF48314F148119E859BB295D7749844CF55
                      Function 0112FCC8 Relevance: .1, Instructions: 125COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2920932751.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_1120000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 568ffcae442a034536c49803b4c3f57bc62ad5e3a7cd60880b7c25dcb628d3aa
                      • Instruction ID: 1d0ca313ff23b40d2e64c34aa7bcbf89494e610602434da53c552dafbbd9cc12
                      • Opcode Fuzzy Hash: 568ffcae442a034536c49803b4c3f57bc62ad5e3a7cd60880b7c25dcb628d3aa
                      • Instruction Fuzzy Hash: 4541B971E0022ADBDB19CFA5C880ADEFBF5BF84700F158119D415B7240EB70A956CB91
                      Function 0112112A Relevance: .1, Instructions: 122COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2920932751.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_1120000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 6bbaad1957378a49f982d66dfb39bdac1d28cf4767aa9880b355457e779861d7
                      • Instruction ID: bf21e9306385d8db002fa12646d92e2bce3fc1d6a92215534f856bf4fc69bbad
                      • Opcode Fuzzy Hash: 6bbaad1957378a49f982d66dfb39bdac1d28cf4767aa9880b355457e779861d7
                      • Instruction Fuzzy Hash: C151ED712012A18FC716FB68F8A0B943BB5F7A1305B449A69E054CB26EFA356D49CF60
                      Function 01121138 Relevance: .1, Instructions: 109COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2920932751.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_1120000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b54888a79effcb7d69b8101825f049ba2ce56f5c956c7077785f7b43f9db58d1
                      • Instruction ID: 5f5a9079fb938570a223825da90fcae99743f47f2d0b4064d860c71f52b88204
                      • Opcode Fuzzy Hash: b54888a79effcb7d69b8101825f049ba2ce56f5c956c7077785f7b43f9db58d1
                      • Instruction Fuzzy Hash: ED51CD712012A5CFC716FF68F9A0B943BB5F7A1305B449A69E054CB22DFA706D49CFA0
                      Function 0112F1E0 Relevance: .1, Instructions: 96COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2920932751.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_1120000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5e9b80aeafb985f2d69ca66462307caad8d74503f8d17f14ad54209faaad3f05
                      • Instruction ID: ed20760aba824beb0095c894c56501f63c8cc789b9e6cba17f8515a0f2a7c7c4
                      • Opcode Fuzzy Hash: 5e9b80aeafb985f2d69ca66462307caad8d74503f8d17f14ad54209faaad3f05
                      • Instruction Fuzzy Hash: 69319035E142269FCB19CFA9D4946AEBBB2BF8A300F548519E806E7350DB70EC42CB50
                      Function 011226CE Relevance: .1, Instructions: 94COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2920932751.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_1120000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: befbb1ae25e3a8e861276ffb56a53dd90e9b58c6876b02dbc575ac847953ad1c
                      • Instruction ID: 7569784f7c59b92fab4b42e5e9e2d181a2985042c44a67fd8df99677fd970165
                      • Opcode Fuzzy Hash: befbb1ae25e3a8e861276ffb56a53dd90e9b58c6876b02dbc575ac847953ad1c
                      • Instruction Fuzzy Hash: 7A410EB0D003499FDB14DFA9C885ADEBFF5EF48314F208029E809AB250DB74A949CB90
                      Function 0112F1F0 Relevance: .1, Instructions: 91COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2920932751.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_1120000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 122545b3a1d1b87e8d91649a8888449484e643961d4c4097c680658ad5fe016c
                      • Instruction ID: 98ba9ebee60bb402f1db3dfcff1f909d9b2df2fb026fd665b88743cd848d3338
                      • Opcode Fuzzy Hash: 122545b3a1d1b87e8d91649a8888449484e643961d4c4097c680658ad5fe016c
                      • Instruction Fuzzy Hash: 17318134E142269BCB19DFA9D49469EB7B6FF8A300F508519E80AE7354DF70EC42CB50
                      Function 011226D8 Relevance: .1, Instructions: 90COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2920932751.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_1120000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f69dd91ca948cd58150dad221bcbe6447bb28c1a0115c95d7bd5f98111ce45ea
                      • Instruction ID: 86e3e078629eab3fc3548d995fe036c02b5a112e08795d872c9d87ff02b3aaff
                      • Opcode Fuzzy Hash: f69dd91ca948cd58150dad221bcbe6447bb28c1a0115c95d7bd5f98111ce45ea
                      • Instruction Fuzzy Hash: 5941DCB0D003499FDB14DFA9C984ADEBFF5EF48314F208429E819AB254DB75A949CB90
                      Function 01125098 Relevance: .1, Instructions: 89COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2920932751.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_1120000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 92024eccadbea42c7cfc6114c6c7c0c253265387bed1b6b09fa2969ccd08cb2b
                      • Instruction ID: 210683ca72bcad2696c82a93c2866baa18d8267f96b5198d3608c89a069479a4
                      • Opcode Fuzzy Hash: 92024eccadbea42c7cfc6114c6c7c0c253265387bed1b6b09fa2969ccd08cb2b
                      • Instruction Fuzzy Hash: 94314D347002258FDB5DEB78C9946AE77B6AF49244F200578D801EB3A5EF3ADC11CBA5
                      Function 01125087 Relevance: .1, Instructions: 88COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2920932751.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_1120000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 59420b3997bf2fa139e575a2c60faa34d25d49d9f95744b8651fc94496ad9caf
                      • Instruction ID: 89d51d8d4bdf177316457e865a9bfc802d127e054a5d4f59f669cc5652de6e6c
                      • Opcode Fuzzy Hash: 59420b3997bf2fa139e575a2c60faa34d25d49d9f95744b8651fc94496ad9caf
                      • Instruction Fuzzy Hash: 98316F307002658FDB5DEB78C5946AE77B6AF49204F2004ACD401EB3A5EF3ADC11CBA5
                      Function 01129257 Relevance: .1, Instructions: 84COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2920932751.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_1120000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 626f80563291007012ee1bc472105fc672d5f37b9a9dde9549e1dfe972284733
                      • Instruction ID: 6cdd5e85f150ca76d543ac6f630b7753e46da3f11951ea2e7ea7788aa4e6e90c
                      • Opcode Fuzzy Hash: 626f80563291007012ee1bc472105fc672d5f37b9a9dde9549e1dfe972284733
                      • Instruction Fuzzy Hash: 4831A231E042299BDB09CFA9D4947DEFBB6FF89304F548519E805EB345DB709846CB90
                      Function 0112168F Relevance: .1, Instructions: 82COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2920932751.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_1120000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 35f9b1cef8d43e2c409c35568af3587649a0f4e0bb020902eb6f817a1a693c59
                      • Instruction ID: bc1105f2fc8d3af44c286c16b5685b63943d7c3cec139100c1d4b6bf3d39c6b6
                      • Opcode Fuzzy Hash: 35f9b1cef8d43e2c409c35568af3587649a0f4e0bb020902eb6f817a1a693c59
                      • Instruction Fuzzy Hash: 8021F7786002616FDF27FB6CE884B5D3796E795305F004E62E049C725AFB34DC5A8B92
                      Function 01129268 Relevance: .1, Instructions: 78COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2920932751.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_1120000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9154037d5157786199fe0b3ad395af1d6b2b5e98cb89496cfd411244087668a4
                      • Instruction ID: 3c6115d6c5b0ae37e6cee0d8d00746dd24cc0e20a548c6b3c3c99b032aabf78a
                      • Opcode Fuzzy Hash: 9154037d5157786199fe0b3ad395af1d6b2b5e98cb89496cfd411244087668a4
                      • Instruction Fuzzy Hash: 5C21B431E0422A9BCB09CFA9D48069EF7B2FF89304F108619E805EB345DB70A846CB90
                      Function 01129159 Relevance: .1, Instructions: 74COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2920932751.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_1120000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8687f3287743045961e50c858b5d0e8e3df189dd4aacfb52f0f949b8d068255f
                      • Instruction ID: 41ca740d88e9ecd0232d89a84a54e3257ead3064f3fc74bd3965bdfae1db9650
                      • Opcode Fuzzy Hash: 8687f3287743045961e50c858b5d0e8e3df189dd4aacfb52f0f949b8d068255f
                      • Instruction Fuzzy Hash: CF21D631E002299BDB19CFA9D4946EEFBB2EF8A314F10851AEC15F7341DB709942CB51
                      Function 010CD124 Relevance: .1, Instructions: 72COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2920515657.00000000010CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CD000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_10cd000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0692c9f5e526d50f204f24b3df06e477ffc19f507f580e4b8aa258e557bf35db
                      • Instruction ID: 1ea7776c020cf3de83d23b826580ed695318edadc42b7c5258b1ac0d2fcf20de
                      • Opcode Fuzzy Hash: 0692c9f5e526d50f204f24b3df06e477ffc19f507f580e4b8aa258e557bf35db
                      • Instruction Fuzzy Hash: A72106B1604200AFDB01DF58C9C0B29BBA5FBC4714F20C5BDDD8A4A252C336D446CBA1
                      Function 01121868 Relevance: .1, Instructions: 71COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2920932751.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_1120000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f514509da35d98a6b03babb12d0c1a56bc50c1883ef1ee664536f9b1ff6c00b0
                      • Instruction ID: 81e98febe61800c5a450685f76d5865c3e082e3ca3a9530a4f0cd04d8fad62d3
                      • Opcode Fuzzy Hash: f514509da35d98a6b03babb12d0c1a56bc50c1883ef1ee664536f9b1ff6c00b0
                      • Instruction Fuzzy Hash: 12215E30B002599FEF28DB78C5557AE7BF5AF49304F200868D405EB295EB369D11CBA1
                      Function 01124F7A Relevance: .1, Instructions: 71COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2920932751.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_1120000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 43a13044d6b3ba802b3e6e7d06546050709ab9f8378889646b5a8dd809909427
                      • Instruction ID: 8f2779ea0af402b5326ef2df7b0ea916da21afbadfdcc4a18eaf3eab6415b9a2
                      • Opcode Fuzzy Hash: 43a13044d6b3ba802b3e6e7d06546050709ab9f8378889646b5a8dd809909427
                      • Instruction Fuzzy Hash: 6E212B34700214CFDB68DB78D558AAD7BF2AF89304F204469E406EB365EB3ADC01CB65
                      Function 01129168 Relevance: .1, Instructions: 70COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2920932751.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_1120000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e3dca67d2d84c2271b25ccbd4309cccd3f5be6c6c9ac7f0116be1d052c93fae0
                      • Instruction ID: af9860fea2e655390050d65f882f64f6b9ae4b109a2e59a68db315c63af4db62
                      • Opcode Fuzzy Hash: e3dca67d2d84c2271b25ccbd4309cccd3f5be6c6c9ac7f0116be1d052c93fae0
                      • Instruction Fuzzy Hash: 47219F30E002299BCB19CFA9C8546DEF7B2EF89314F20861AEC15FB340DB70A946CB51
                      Function 01121370 Relevance: .1, Instructions: 70COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2920932751.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_1120000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 31676ec8fbb1b9a0d065aa82c95dc9547b78dcb0f3e0ac6f39c5b3f7a6c87eca
                      • Instruction ID: b30664ac01ea2391a31bcebfc342398559c15149c25b8e69b2f06c518bf08190
                      • Opcode Fuzzy Hash: 31676ec8fbb1b9a0d065aa82c95dc9547b78dcb0f3e0ac6f39c5b3f7a6c87eca
                      • Instruction Fuzzy Hash: 1221BB74A042A0AFEB3BA73CD85436C3B52FB42325F54092AE54AC7242DF29CCA6C741
                      Function 01121878 Relevance: .1, Instructions: 70COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2920932751.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_1120000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7626f25a5518f4cb8aa7e23bc8025746cb801624d80c75275cab7d44bcf2e983
                      • Instruction ID: 6f91779e8d82c44d41ce0a0b12377b7d2a321214a69969dfe874ad4e194c2542
                      • Opcode Fuzzy Hash: 7626f25a5518f4cb8aa7e23bc8025746cb801624d80c75275cab7d44bcf2e983
                      • Instruction Fuzzy Hash: 77214F30B002299FEF18EB78C5547AE77F6AB49205F200878D506EB354EF369C11CBA1
                      Function 011216A0 Relevance: .1, Instructions: 69COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2920932751.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_1120000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7c3691d8863d7245f928370f97f13e6abaf31a23a515dca3f4e8795b5209ba39
                      • Instruction ID: acd1abd254f16c4300b5c6ba221e12940d8b47655ee1f14b5a239c4f220bbf1b
                      • Opcode Fuzzy Hash: 7c3691d8863d7245f928370f97f13e6abaf31a23a515dca3f4e8795b5209ba39
                      • Instruction Fuzzy Hash: A221A2786002616FDF26FB6CE884B5D3756E784305F104E25E00ACB25AFB74EC9A8B91
                      Function 01124F88 Relevance: .1, Instructions: 68COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2920932751.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_1120000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ee9240c39873faa825f0a498995078fbd4910bd95e4abd2afbf2372888ee3def
                      • Instruction ID: 07e0e111645d5765375b811bede7b82b1bd83d50d46ea1261743e25ed3242245
                      • Opcode Fuzzy Hash: ee9240c39873faa825f0a498995078fbd4910bd95e4abd2afbf2372888ee3def
                      • Instruction Fuzzy Hash: 39213E34700214CFDB58EB78C558AAD7BF2EF89304F104469E406EB365EB3A9D00CBA5
                      Function 0112FEB8 Relevance: .1, Instructions: 68COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2920932751.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_1120000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 9b0d9f3563df6512367706d1fe408ba048bab38b93c40278a16a31ceb3d10de2
                      • Instruction ID: 4eb0f4ecdc3b4cc5cfd1e617f140da2bb4d111c705ad4cffeb3f76badaa54daf
                      • Opcode Fuzzy Hash: 9b0d9f3563df6512367706d1fe408ba048bab38b93c40278a16a31ceb3d10de2
                      • Instruction Fuzzy Hash: 4111E631B083642FCB06AFB898605EE3FB7EFC5210794445AE546CB292CF348D12C3A6
                      Function 01120848 Relevance: .1, Instructions: 62COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2920932751.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_1120000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 52689abc4065cd50be70fc0c43559c031b9876fa304b0a78872f9054d69d3618
                      • Instruction ID: ff7ee3049226e729a69c58fd27d83cb427cf68623fa0eb512f83406a8944e82f
                      • Opcode Fuzzy Hash: 52689abc4065cd50be70fc0c43559c031b9876fa304b0a78872f9054d69d3618
                      • Instruction Fuzzy Hash: E3119431F102248FEF6DAA7CD44436E76A1EB49315F104A39F106DF242EBA1DC918BC1
                      Function 01120838 Relevance: .1, Instructions: 60COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2920932751.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_1120000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c730092f40140331e6e59f2aa7b64cc07b8950a7212fab254abe52cd2764cffb
                      • Instruction ID: b83363f6f32eb50a31bd22a15ae2c7d48809f8e618161c3501b28b8705e897ce
                      • Opcode Fuzzy Hash: c730092f40140331e6e59f2aa7b64cc07b8950a7212fab254abe52cd2764cffb
                      • Instruction Fuzzy Hash: D011E330F002248BEF2EA679D44436F7696EB49310F104A39F506DB282EBA5CC914BC2
                      Function 01121478 Relevance: .1, Instructions: 57COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2920932751.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_1120000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0aee25807a74659d9fbf818c1ddd62ef2f32539318ed6e215d8ca2aa76804758
                      • Instruction ID: fa6229eea1a7a25d94cfc3a4a6955e69bbf6a50a0b988effb750feed40090a0e
                      • Opcode Fuzzy Hash: 0aee25807a74659d9fbf818c1ddd62ef2f32539318ed6e215d8ca2aa76804758
                      • Instruction Fuzzy Hash: FF11C231A003659BCF29EFB8849069E7BE5EF59210B2500B9D809E7241E735C8528BA1
                      Function 011217B2 Relevance: .1, Instructions: 55COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2920932751.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_1120000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 115eb01facddcb30fe8c67cd226345deb52112bdea2e81d1678c9a599e73b2b9
                      • Instruction ID: e4858b70e00267217fdb62eed6bd49b02193294af0726f65e3fc664c9e74d85d
                      • Opcode Fuzzy Hash: 115eb01facddcb30fe8c67cd226345deb52112bdea2e81d1678c9a599e73b2b9
                      • Instruction Fuzzy Hash: 1911E172F002569FCB12AFB4984875F7BE9EB88650F504879E90AD7345FF34C8128B92
                      Function 01121488 Relevance: .1, Instructions: 53COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2920932751.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_1120000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 66dfced0172294276cb5bc2460b4379f76af4d2ca645ea80bca633ad205c3907
                      • Instruction ID: 8dc6547157423e02b3bae3eef3bf3352009c7eb6b89a88998c0842ce5c7b0e45
                      • Opcode Fuzzy Hash: 66dfced0172294276cb5bc2460b4379f76af4d2ca645ea80bca633ad205c3907
                      • Instruction Fuzzy Hash: 35018031E003659FCF29EFBC84505ADBBF5EF49220B2505BAE809E7241E735D8528BA1
                      Function 010CD11F Relevance: .1, Instructions: 53COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2920515657.00000000010CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010CD000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_10cd000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                      • Instruction ID: 8feb6a60a3b5a44644a071dbe867b6fffd3fb5b32166f286817675d44136d6a3
                      • Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                      • Instruction Fuzzy Hash: BF11AC755042809FDB02CF58C9C4B19BBA2FB84624F24C6ADDC494B652C33AD44ACF91
                      Function 01129890 Relevance: .1, Instructions: 51COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2920932751.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_1120000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 16162ec21c2fd7dc8e499e8848aad91e3d375c53881fe999b00f02ecbcb72080
                      • Instruction ID: 4dbb521895cfc4b2fa31d13265c1344cde7b4fc2e729b9b6cb0ccb44a5227579
                      • Opcode Fuzzy Hash: 16162ec21c2fd7dc8e499e8848aad91e3d375c53881fe999b00f02ecbcb72080
                      • Instruction Fuzzy Hash: DF110430A002248FDB14DFA9D88478ABBA5FF91311F54C6A4D84C5F28AE770D955C7A1
                      Function 01127080 Relevance: .0, Instructions: 38COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2920932751.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_1120000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c5cab73984cc79424ad7e6e76f2700d1fc0beaf6987fc6c4057a57363977179d
                      • Instruction ID: 3bfca44d9881b8f574160b69118f0d587533074211c319ff646f31e82bade37d
                      • Opcode Fuzzy Hash: c5cab73984cc79424ad7e6e76f2700d1fc0beaf6987fc6c4057a57363977179d
                      • Instruction Fuzzy Hash: 44011638B402188FD718DB64D858B6937B2EB89315F5044A8E106DB2A0DF39AD53CB41
                      Function 011280F8 Relevance: .0, Instructions: 37COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2920932751.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_1120000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 2e127fab78f8a7256fe432dc4439a006999bbe1eb4877f1678bd84288b12681e
                      • Instruction ID: f573fbd905cd46cb98693683c01b953f82d10e3f10d6354b80620f7352f193ff
                      • Opcode Fuzzy Hash: 2e127fab78f8a7256fe432dc4439a006999bbe1eb4877f1678bd84288b12681e
                      • Instruction Fuzzy Hash: 3101A2B45142AAAFCB02FB68E890BDC7BA1EF51305F5057A8D0489B199EE312E478781
                      Function 01121514 Relevance: .0, Instructions: 36COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2920932751.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_1120000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 12f9a3b2502f08ce972d75f511d9ff7608cdbee58ccd2164a70f769f7a174716
                      • Instruction ID: 8d86b3cba5e757083f6c81df6603e8936b80a3495ac3ccfac92fb17e6132c218
                      • Opcode Fuzzy Hash: 12f9a3b2502f08ce972d75f511d9ff7608cdbee58ccd2164a70f769f7a174716
                      • Instruction Fuzzy Hash: 84F04633A042B0DBEB29CBA894900AC7FA1EE6A11274901D7D80ADB641D734C462C752
                      Function 01128108 Relevance: .0, Instructions: 33COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2920932751.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_1120000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3ab3bc39cd2dad55078e95574218be433f591650b453d485eb593d08dfb8e040
                      • Instruction ID: 9186aba08f89cde97717fd8ab3a04117a4603432005d053b0ba9680e29053af0
                      • Opcode Fuzzy Hash: 3ab3bc39cd2dad55078e95574218be433f591650b453d485eb593d08dfb8e040
                      • Instruction Fuzzy Hash: D4F04474900269EFCB01FBA8F890ADD77B5EF40305F505669D008DB258EF313E458B91
                      Function 0112FF88 Relevance: .0, Instructions: 18COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000009.00000002.2920932751.0000000001120000.00000040.00000800.00020000.00000000.sdmp, Offset: 01120000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_9_2_1120000_Sy3CL61n0uDC55M.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 1b908cb28bf41abc046f84dd67be19669b2577e024b41c989df412689bf2764d
                      • Instruction ID: a1a7ae0614f0ab21aec7a318c69b99d98d8b68eeb57a77c3a28d51d648250e5f
                      • Opcode Fuzzy Hash: 1b908cb28bf41abc046f84dd67be19669b2577e024b41c989df412689bf2764d
                      • Instruction Fuzzy Hash: 30D02E332485604BC31A8B68E460484BBB0AF8265231C41ABD0E8C3602C7280829CBA2

                      Execution Graph

                      Execution Coverage:11.7%
                      Dynamic/Decrypted Code Coverage:100%
                      Signature Coverage:0%
                      Total number of Nodes:293
                      Total number of Limit Nodes:8
                      execution_graph 37044 29b4668 37045 29b467a 37044->37045 37046 29b4686 37045->37046 37050 29b4779 37045->37050 37055 29b3e28 37046->37055 37048 29b46a5 37051 29b479d 37050->37051 37059 29b4879 37051->37059 37063 29b4888 37051->37063 37056 29b3e33 37055->37056 37071 29b5c44 37056->37071 37058 29b7048 37058->37048 37061 29b48af 37059->37061 37060 29b498c 37060->37060 37061->37060 37067 29b44b0 37061->37067 37065 29b48af 37063->37065 37064 29b498c 37064->37064 37065->37064 37066 29b44b0 CreateActCtxA 37065->37066 37066->37064 37068 29b5918 CreateActCtxA 37067->37068 37070 29b59db 37068->37070 37072 29b5c4f 37071->37072 37075 29b5c64 37072->37075 37074 29b70ed 37074->37058 37076 29b5c6f 37075->37076 37079 29b5c94 37076->37079 37078 29b71c2 37078->37074 37080 29b5c9f 37079->37080 37081 29b5cc4 2 API calls 37080->37081 37082 29b72c5 37081->37082 37082->37078 36777 6da90be 36778 6da8e54 36777->36778 36779 6da8ebf 36778->36779 36783 6dab000 36778->36783 36798 6dab066 36778->36798 36814 6daaff1 36778->36814 36784 6dab01a 36783->36784 36785 6dab022 36784->36785 36829 6dab59e 36784->36829 36835 6dab520 36784->36835 36840 6dab6ad 36784->36840 36845 6dab60d 36784->36845 36849 6dab4ac 36784->36849 36854 6dab50e 36784->36854 36859 6daba2e 36784->36859 36864 6dab96b 36784->36864 36869 6dab5d5 36784->36869 36874 6dabbd4 36784->36874 36878 6dab750 36784->36878 36883 6dab41f 36784->36883 36785->36779 36799 6daaff4 36798->36799 36801 6dab069 36798->36801 36800 6dab022 36799->36800 36802 6dab59e 2 API calls 36799->36802 36803 6dab41f 2 API calls 36799->36803 36804 6dab750 2 API calls 36799->36804 36805 6dabbd4 2 API calls 36799->36805 36806 6dab5d5 2 API calls 36799->36806 36807 6dab96b 2 API calls 36799->36807 36808 6daba2e 2 API calls 36799->36808 36809 6dab50e 2 API calls 36799->36809 36810 6dab4ac 2 API calls 36799->36810 36811 6dab60d 2 API calls 36799->36811 36812 6dab6ad 2 API calls 36799->36812 36813 6dab520 2 API calls 36799->36813 36800->36779 36801->36779 36802->36800 36803->36800 36804->36800 36805->36800 36806->36800 36807->36800 36808->36800 36809->36800 36810->36800 36811->36800 36812->36800 36813->36800 36815 6dab000 36814->36815 36816 6dab022 36815->36816 36817 6dab59e 2 API calls 36815->36817 36818 6dab41f 2 API calls 36815->36818 36819 6dab750 2 API calls 36815->36819 36820 6dabbd4 2 API calls 36815->36820 36821 6dab5d5 2 API calls 36815->36821 36822 6dab96b 2 API calls 36815->36822 36823 6daba2e 2 API calls 36815->36823 36824 6dab50e 2 API calls 36815->36824 36825 6dab4ac 2 API calls 36815->36825 36826 6dab60d 2 API calls 36815->36826 36827 6dab6ad 2 API calls 36815->36827 36828 6dab520 2 API calls 36815->36828 36816->36779 36817->36816 36818->36816 36819->36816 36820->36816 36821->36816 36822->36816 36823->36816 36824->36816 36825->36816 36826->36816 36827->36816 36828->36816 36830 6dab480 36829->36830 36831 6dab5a5 36829->36831 36887 6da86e8 36831->36887 36891 6da86f0 36831->36891 36832 6dab5c0 36836 6daba80 36835->36836 36895 6da87a9 36836->36895 36899 6da87b0 36836->36899 36837 6dab480 36841 6dab6d0 36840->36841 36843 6da87a9 WriteProcessMemory 36841->36843 36844 6da87b0 WriteProcessMemory 36841->36844 36842 6dab82c 36842->36785 36843->36842 36844->36842 36846 6daba93 36845->36846 36847 6da87a9 WriteProcessMemory 36846->36847 36848 6da87b0 WriteProcessMemory 36846->36848 36847->36846 36848->36846 36850 6dab4b2 36849->36850 36903 6da8898 36850->36903 36907 6da88a0 36850->36907 36851 6dab4d5 36851->36785 36855 6dab76a 36854->36855 36911 6da81d8 36855->36911 36915 6da81e0 36855->36915 36856 6dab480 36860 6daba34 36859->36860 36919 6da812f 36860->36919 36923 6da8130 36860->36923 36861 6daba61 36865 6dab971 36864->36865 36867 6da812f ResumeThread 36865->36867 36868 6da8130 ResumeThread 36865->36868 36866 6daba61 36867->36866 36868->36866 36870 6dab5db 36869->36870 36872 6da812f ResumeThread 36870->36872 36873 6da8130 ResumeThread 36870->36873 36871 6daba61 36872->36871 36873->36871 36876 6da81d8 Wow64SetThreadContext 36874->36876 36877 6da81e0 Wow64SetThreadContext 36874->36877 36875 6dabbee 36876->36875 36877->36875 36879 6dab5ec 36878->36879 36881 6da812f ResumeThread 36879->36881 36882 6da8130 ResumeThread 36879->36882 36880 6daba61 36881->36880 36882->36880 36927 6da8a38 36883->36927 36931 6da8a2d 36883->36931 36888 6da86eb VirtualAllocEx 36887->36888 36890 6da876d 36888->36890 36890->36832 36892 6da8730 VirtualAllocEx 36891->36892 36894 6da876d 36892->36894 36894->36832 36896 6da87b0 WriteProcessMemory 36895->36896 36898 6da884f 36896->36898 36898->36837 36900 6da87f8 WriteProcessMemory 36899->36900 36902 6da884f 36900->36902 36902->36837 36904 6da88a0 ReadProcessMemory 36903->36904 36906 6da892f 36904->36906 36906->36851 36908 6da88eb ReadProcessMemory 36907->36908 36910 6da892f 36908->36910 36910->36851 36912 6da81e0 Wow64SetThreadContext 36911->36912 36914 6da826d 36912->36914 36914->36856 36916 6da8225 Wow64SetThreadContext 36915->36916 36918 6da826d 36916->36918 36918->36856 36920 6da8130 ResumeThread 36919->36920 36922 6da81a1 36920->36922 36922->36861 36924 6da8170 ResumeThread 36923->36924 36926 6da81a1 36924->36926 36926->36861 36928 6da8ac1 36927->36928 36928->36928 36929 6da8c26 CreateProcessA 36928->36929 36930 6da8c83 36929->36930 36932 6da8ac1 CreateProcessA 36931->36932 36934 6da8c83 36932->36934 36756 6dac2d0 36757 6dac45b 36756->36757 36759 6dac2f6 36756->36759 36759->36757 36760 6daa62c 36759->36760 36761 6dac550 PostMessageW 36760->36761 36762 6dac5bc 36761->36762 36762->36759 36763 29bd040 36764 29bd086 36763->36764 36768 29bd618 36764->36768 36771 29bd628 36764->36771 36765 29bd173 36774 29bd27c 36768->36774 36772 29bd656 36771->36772 36773 29bd27c DuplicateHandle 36771->36773 36772->36765 36773->36772 36775 29bd690 DuplicateHandle 36774->36775 36776 29bd656 36775->36776 36776->36765 36935 29bacb0 36939 29bada8 36935->36939 36947 29bad97 36935->36947 36936 29bacbf 36940 29badb9 36939->36940 36941 29baddc 36939->36941 36940->36941 36955 29bb030 36940->36955 36959 29bb040 36940->36959 36941->36936 36942 29badd4 36942->36941 36943 29bafe0 GetModuleHandleW 36942->36943 36944 29bb00d 36943->36944 36944->36936 36948 29badb9 36947->36948 36949 29baddc 36947->36949 36948->36949 36953 29bb030 LoadLibraryExW 36948->36953 36954 29bb040 LoadLibraryExW 36948->36954 36949->36936 36950 29badd4 36950->36949 36951 29bafe0 GetModuleHandleW 36950->36951 36952 29bb00d 36951->36952 36952->36936 36953->36950 36954->36950 36956 29bb040 36955->36956 36958 29bb079 36956->36958 36963 29ba130 36956->36963 36958->36942 36960 29bb054 36959->36960 36961 29bb079 36960->36961 36962 29ba130 LoadLibraryExW 36960->36962 36961->36942 36962->36961 36965 29bb220 LoadLibraryExW 36963->36965 36966 29bb299 36965->36966 36966->36958 37083 e7d01c 37084 e7d034 37083->37084 37089 e7d08e 37084->37089 37090 50c1a97 37084->37090 37095 50c2818 37084->37095 37100 50c2808 37084->37100 37105 50c1aa8 37084->37105 37091 50c1ace 37090->37091 37093 50c2808 2 API calls 37091->37093 37094 50c2818 2 API calls 37091->37094 37092 50c1aef 37092->37089 37093->37092 37094->37092 37096 50c2845 37095->37096 37097 50c2877 37096->37097 37110 50c2990 37096->37110 37115 50c29a0 37096->37115 37101 50c280d 37100->37101 37102 50c2877 37101->37102 37103 50c2990 2 API calls 37101->37103 37104 50c29a0 2 API calls 37101->37104 37103->37102 37104->37102 37106 50c1ace 37105->37106 37108 50c2808 2 API calls 37106->37108 37109 50c2818 2 API calls 37106->37109 37107 50c1aef 37107->37089 37108->37107 37109->37107 37112 50c29b4 37110->37112 37111 50c2a40 37111->37097 37120 50c2a48 37112->37120 37123 50c2a58 37112->37123 37117 50c29b4 37115->37117 37116 50c2a40 37116->37097 37118 50c2a48 2 API calls 37117->37118 37119 50c2a58 2 API calls 37117->37119 37118->37116 37119->37116 37121 50c2a69 37120->37121 37126 50c4013 37120->37126 37121->37111 37124 50c2a69 37123->37124 37125 50c4013 2 API calls 37123->37125 37124->37111 37125->37124 37130 50c4030 37126->37130 37134 50c4040 37126->37134 37127 50c402a 37127->37121 37131 50c4040 37130->37131 37132 50c40da CallWindowProcW 37131->37132 37133 50c4089 37131->37133 37132->37133 37133->37127 37135 50c4082 37134->37135 37136 50c4089 37134->37136 37135->37136 37137 50c40da CallWindowProcW 37135->37137 37136->37127 37137->37136 36967 50c67e0 36968 50c680d 36967->36968 36973 50c6630 36968->36973 36970 50c6630 2 API calls 36972 50c6ad1 36970->36972 36971 50c687c 36971->36970 36974 50c663b 36973->36974 36978 29b8308 36974->36978 36982 29b5cc4 36974->36982 36975 50c811b 36975->36971 36980 29b8303 36978->36980 36979 29b8609 36979->36975 36980->36978 36980->36979 36986 29bcd78 36980->36986 36984 29b5ccf 36982->36984 36983 29b8609 36983->36975 36984->36983 36985 29bcd78 2 API calls 36984->36985 36985->36983 36987 29bcd99 36986->36987 36988 29bcdbd 36987->36988 36990 29bcf28 36987->36990 36988->36979 36991 29bcf35 36990->36991 36992 29bcf6f 36991->36992 36994 29bbae0 36991->36994 36992->36988 36995 29bbae5 36994->36995 36997 29bdc88 36995->36997 36998 29bd2dc 36995->36998 36997->36997 36999 29bd2e7 36998->36999 37000 29b5cc4 2 API calls 36999->37000 37001 29bdcf7 37000->37001 37005 29bfa70 37001->37005 37011 29bfa88 37001->37011 37002 29bdd31 37002->36997 37007 29bfbb9 37005->37007 37008 29bfab9 37005->37008 37006 29bfac5 37006->37002 37007->37002 37008->37006 37017 50c09b0 37008->37017 37022 50c09c0 37008->37022 37013 29bfab9 37011->37013 37014 29bfbb9 37011->37014 37012 29bfac5 37012->37002 37013->37012 37015 50c09b0 2 API calls 37013->37015 37016 50c09c0 2 API calls 37013->37016 37014->37002 37015->37014 37016->37014 37018 50c09eb 37017->37018 37019 50c0a9a 37018->37019 37027 50c1790 37018->37027 37032 50c18a0 37018->37032 37023 50c09eb 37022->37023 37024 50c0a9a 37023->37024 37025 50c1790 2 API calls 37023->37025 37026 50c18a0 2 API calls 37023->37026 37025->37024 37026->37024 37028 50c17d3 37027->37028 37036 50c18e4 37028->37036 37040 50c18f0 37028->37040 37033 50c18d5 37032->37033 37034 50c18e4 CreateWindowExW 37032->37034 37035 50c18f0 CreateWindowExW 37032->37035 37033->37019 37034->37033 37035->37033 37037 50c1958 CreateWindowExW 37036->37037 37039 50c1a14 37037->37039 37041 50c1958 CreateWindowExW 37040->37041 37043 50c1a14 37041->37043

                      Executed Functions

                      Function 06DA8A2D Relevance: 1.7, APIs: 1, Instructions: 244processCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1074 6da8a2d-6da8acd 1076 6da8acf-6da8ad9 1074->1076 1077 6da8b06-6da8b26 1074->1077 1076->1077 1078 6da8adb-6da8add 1076->1078 1084 6da8b28-6da8b32 1077->1084 1085 6da8b5f-6da8b8e 1077->1085 1079 6da8adf-6da8ae9 1078->1079 1080 6da8b00-6da8b03 1078->1080 1082 6da8aeb 1079->1082 1083 6da8aed-6da8afc 1079->1083 1080->1077 1082->1083 1083->1083 1086 6da8afe 1083->1086 1084->1085 1087 6da8b34-6da8b36 1084->1087 1093 6da8b90-6da8b9a 1085->1093 1094 6da8bc7-6da8c81 CreateProcessA 1085->1094 1086->1080 1088 6da8b38-6da8b42 1087->1088 1089 6da8b59-6da8b5c 1087->1089 1091 6da8b46-6da8b55 1088->1091 1092 6da8b44 1088->1092 1089->1085 1091->1091 1095 6da8b57 1091->1095 1092->1091 1093->1094 1096 6da8b9c-6da8b9e 1093->1096 1105 6da8c8a-6da8d10 1094->1105 1106 6da8c83-6da8c89 1094->1106 1095->1089 1098 6da8ba0-6da8baa 1096->1098 1099 6da8bc1-6da8bc4 1096->1099 1100 6da8bae-6da8bbd 1098->1100 1101 6da8bac 1098->1101 1099->1094 1100->1100 1103 6da8bbf 1100->1103 1101->1100 1103->1099 1116 6da8d12-6da8d16 1105->1116 1117 6da8d20-6da8d24 1105->1117 1106->1105 1116->1117 1118 6da8d18 1116->1118 1119 6da8d26-6da8d2a 1117->1119 1120 6da8d34-6da8d38 1117->1120 1118->1117 1119->1120 1121 6da8d2c 1119->1121 1122 6da8d3a-6da8d3e 1120->1122 1123 6da8d48-6da8d4c 1120->1123 1121->1120 1122->1123 1124 6da8d40 1122->1124 1125 6da8d5e-6da8d65 1123->1125 1126 6da8d4e-6da8d54 1123->1126 1124->1123 1127 6da8d7c 1125->1127 1128 6da8d67-6da8d76 1125->1128 1126->1125 1130 6da8d7d 1127->1130 1128->1127 1130->1130
                      APIs
                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06DA8C6E
                      Memory Dump Source
                      • Source File: 0000000B.00000002.1755977637.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_6da0000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID: CreateProcess
                      • String ID:
                      • API String ID: 963392458-0
                      • Opcode ID: 7bec42166c92594d4859e84f2fbd3e69a614c19e83f252ca2fe94d119081c894
                      • Instruction ID: 0b21257499716b8c115a71094ec5962ad99b2650711e1a8e990543da700c69ca
                      • Opcode Fuzzy Hash: 7bec42166c92594d4859e84f2fbd3e69a614c19e83f252ca2fe94d119081c894
                      • Instruction Fuzzy Hash: 20A17AB1D043198FDF54CF68C841BEDBBB2BF48314F1485AAD809A7280DB749985DF91
                      Function 06DA8A38 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1131 6da8a38-6da8acd 1133 6da8acf-6da8ad9 1131->1133 1134 6da8b06-6da8b26 1131->1134 1133->1134 1135 6da8adb-6da8add 1133->1135 1141 6da8b28-6da8b32 1134->1141 1142 6da8b5f-6da8b8e 1134->1142 1136 6da8adf-6da8ae9 1135->1136 1137 6da8b00-6da8b03 1135->1137 1139 6da8aeb 1136->1139 1140 6da8aed-6da8afc 1136->1140 1137->1134 1139->1140 1140->1140 1143 6da8afe 1140->1143 1141->1142 1144 6da8b34-6da8b36 1141->1144 1150 6da8b90-6da8b9a 1142->1150 1151 6da8bc7-6da8c81 CreateProcessA 1142->1151 1143->1137 1145 6da8b38-6da8b42 1144->1145 1146 6da8b59-6da8b5c 1144->1146 1148 6da8b46-6da8b55 1145->1148 1149 6da8b44 1145->1149 1146->1142 1148->1148 1152 6da8b57 1148->1152 1149->1148 1150->1151 1153 6da8b9c-6da8b9e 1150->1153 1162 6da8c8a-6da8d10 1151->1162 1163 6da8c83-6da8c89 1151->1163 1152->1146 1155 6da8ba0-6da8baa 1153->1155 1156 6da8bc1-6da8bc4 1153->1156 1157 6da8bae-6da8bbd 1155->1157 1158 6da8bac 1155->1158 1156->1151 1157->1157 1160 6da8bbf 1157->1160 1158->1157 1160->1156 1173 6da8d12-6da8d16 1162->1173 1174 6da8d20-6da8d24 1162->1174 1163->1162 1173->1174 1175 6da8d18 1173->1175 1176 6da8d26-6da8d2a 1174->1176 1177 6da8d34-6da8d38 1174->1177 1175->1174 1176->1177 1178 6da8d2c 1176->1178 1179 6da8d3a-6da8d3e 1177->1179 1180 6da8d48-6da8d4c 1177->1180 1178->1177 1179->1180 1181 6da8d40 1179->1181 1182 6da8d5e-6da8d65 1180->1182 1183 6da8d4e-6da8d54 1180->1183 1181->1180 1184 6da8d7c 1182->1184 1185 6da8d67-6da8d76 1182->1185 1183->1182 1187 6da8d7d 1184->1187 1185->1184 1187->1187
                      APIs
                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06DA8C6E
                      Memory Dump Source
                      • Source File: 0000000B.00000002.1755977637.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_6da0000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID: CreateProcess
                      • String ID:
                      • API String ID: 963392458-0
                      • Opcode ID: ee3502ee25a71bec3fba06e5f3a29a9116a87dfd4ae5845dce97312fbedaa0c3
                      • Instruction ID: 43966926715c8345b0922172b83ce10127d348d2661bc115ea0032d5e080b4d9
                      • Opcode Fuzzy Hash: ee3502ee25a71bec3fba06e5f3a29a9116a87dfd4ae5845dce97312fbedaa0c3
                      • Instruction Fuzzy Hash: 169169B1D043198FDF54DF68C841BEDBBB2BF48310F14856AD809A7280DB749985DF91
                      Function 029BADA8 Relevance: 1.7, APIs: 1, Instructions: 200COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1188 29bada8-29badb7 1189 29badb9-29badc6 call 29ba0cc 1188->1189 1190 29bade3-29bade7 1188->1190 1197 29badc8 1189->1197 1198 29baddc 1189->1198 1191 29badfb-29bae3c 1190->1191 1192 29bade9-29badf3 1190->1192 1199 29bae49-29bae57 1191->1199 1200 29bae3e-29bae46 1191->1200 1192->1191 1243 29badce call 29bb030 1197->1243 1244 29badce call 29bb040 1197->1244 1198->1190 1202 29bae7b-29bae7d 1199->1202 1203 29bae59-29bae5e 1199->1203 1200->1199 1201 29badd4-29badd6 1201->1198 1204 29baf18-29bafd8 1201->1204 1205 29bae80-29bae87 1202->1205 1206 29bae69 1203->1206 1207 29bae60-29bae67 call 29ba0d8 1203->1207 1238 29bafda-29bafdd 1204->1238 1239 29bafe0-29bb00b GetModuleHandleW 1204->1239 1208 29bae89-29bae91 1205->1208 1209 29bae94-29bae9b 1205->1209 1210 29bae6b-29bae79 1206->1210 1207->1210 1208->1209 1212 29baea8-29baeaa call 29ba0e8 1209->1212 1213 29bae9d-29baea5 1209->1213 1210->1205 1217 29baeaf-29baeb1 1212->1217 1213->1212 1219 29baebe-29baec3 1217->1219 1220 29baeb3-29baebb 1217->1220 1221 29baee1-29baeee 1219->1221 1222 29baec5-29baecc 1219->1222 1220->1219 1228 29baf11-29baf17 1221->1228 1229 29baef0-29baf0e 1221->1229 1222->1221 1224 29baece-29baede call 29ba0f8 call 29ba108 1222->1224 1224->1221 1229->1228 1238->1239 1240 29bb00d-29bb013 1239->1240 1241 29bb014-29bb028 1239->1241 1240->1241 1243->1201 1244->1201
                      APIs
                      • GetModuleHandleW.KERNELBASE(00000000), ref: 029BAFFE
                      Memory Dump Source
                      • Source File: 0000000B.00000002.1749782418.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_29b0000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID: HandleModule
                      • String ID:
                      • API String ID: 4139908857-0
                      • Opcode ID: 49b91d06219ee0b11697a3cf38784fd5ef259c81124553c1a502a4b1c8081575
                      • Instruction ID: b67277da45c190a12535b921277a36c4ccd4dc11a5c80ffae46cfcda0c8fd38d
                      • Opcode Fuzzy Hash: 49b91d06219ee0b11697a3cf38784fd5ef259c81124553c1a502a4b1c8081575
                      • Instruction Fuzzy Hash: C57135B0A00B058FD725DF2AD55479ABBF5FF88304F00892DD48AD7A40DB35E949CB90
                      Function 050C18E4 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1353 50c18e4-50c1956 1354 50c1958-50c195e 1353->1354 1355 50c1961-50c1968 1353->1355 1354->1355 1356 50c196a-50c1970 1355->1356 1357 50c1973-50c1a12 CreateWindowExW 1355->1357 1356->1357 1359 50c1a1b-50c1a53 1357->1359 1360 50c1a14-50c1a1a 1357->1360 1364 50c1a55-50c1a58 1359->1364 1365 50c1a60 1359->1365 1360->1359 1364->1365 1366 50c1a61 1365->1366 1366->1366
                      APIs
                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 050C1A02
                      Memory Dump Source
                      • Source File: 0000000B.00000002.1755178177.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_50c0000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID: CreateWindow
                      • String ID:
                      • API String ID: 716092398-0
                      • Opcode ID: 4734a2fc23f9e6cb0f7771392235e137220a1cf9ab3f761291328a02b35c3592
                      • Instruction ID: 445e91a94eaf298c16fcb84138c2c12a1ccb14fff1677182a5614d3b3b4f85c6
                      • Opcode Fuzzy Hash: 4734a2fc23f9e6cb0f7771392235e137220a1cf9ab3f761291328a02b35c3592
                      • Instruction Fuzzy Hash: B751CEB1D103499FDB14CFAAD884ADEBFB1FF49310F24816AE819AB251D7709985CF90
                      Function 050C18F0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1367 50c18f0-50c1956 1368 50c1958-50c195e 1367->1368 1369 50c1961-50c1968 1367->1369 1368->1369 1370 50c196a-50c1970 1369->1370 1371 50c1973-50c1a12 CreateWindowExW 1369->1371 1370->1371 1373 50c1a1b-50c1a53 1371->1373 1374 50c1a14-50c1a1a 1371->1374 1378 50c1a55-50c1a58 1373->1378 1379 50c1a60 1373->1379 1374->1373 1378->1379 1380 50c1a61 1379->1380 1380->1380
                      APIs
                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 050C1A02
                      Memory Dump Source
                      • Source File: 0000000B.00000002.1755178177.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_50c0000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID: CreateWindow
                      • String ID:
                      • API String ID: 716092398-0
                      • Opcode ID: ddbfafea22e0ad7ccf20d46cca715ac61156ed95822f8d11c6d3bf7b01ae898b
                      • Instruction ID: ab6c160f7b6751f8b6ee1a0ba319babcb9149512f5e0ace9239f0d0541419c2c
                      • Opcode Fuzzy Hash: ddbfafea22e0ad7ccf20d46cca715ac61156ed95822f8d11c6d3bf7b01ae898b
                      • Instruction Fuzzy Hash: 4441CEB1D003499FDB14CFAAD884ADEBFB5FF49310F24816AE819AB251D7709985CF90
                      Function 029B590C Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1381 29b590c-29b598c 1383 29b598f-29b59d9 CreateActCtxA 1381->1383 1385 29b59db-29b59e1 1383->1385 1386 29b59e2-29b5a3c 1383->1386 1385->1386 1393 29b5a4b-29b5a4f 1386->1393 1394 29b5a3e-29b5a41 1386->1394 1395 29b5a51-29b5a5d 1393->1395 1396 29b5a60-29b5a90 1393->1396 1394->1393 1395->1396 1400 29b5a42-29b5a47 1396->1400 1401 29b5a92-29b5b14 1396->1401 1400->1393
                      APIs
                      • CreateActCtxA.KERNEL32(?), ref: 029B59C9
                      Memory Dump Source
                      • Source File: 0000000B.00000002.1749782418.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_29b0000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID: Create
                      • String ID:
                      • API String ID: 2289755597-0
                      • Opcode ID: 1de334238ef5ca4ca6ec588e4fdc07dda63f1564ba81fca42c49eea433cf8c15
                      • Instruction ID: 5a5e3be6f24be1924eb66381caa49e1450e5e33e10a40ce7a49493bda5739b50
                      • Opcode Fuzzy Hash: 1de334238ef5ca4ca6ec588e4fdc07dda63f1564ba81fca42c49eea433cf8c15
                      • Instruction Fuzzy Hash: 3241DFB0C00719CAEB24DFA9C9847CDBBF5BF49314F64806AD419BB251DB71694ACF90
                      Function 029B44B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1404 29b44b0-29b59d9 CreateActCtxA 1408 29b59db-29b59e1 1404->1408 1409 29b59e2-29b5a3c 1404->1409 1408->1409 1416 29b5a4b-29b5a4f 1409->1416 1417 29b5a3e-29b5a41 1409->1417 1418 29b5a51-29b5a5d 1416->1418 1419 29b5a60-29b5a90 1416->1419 1417->1416 1418->1419 1423 29b5a42-29b5a47 1419->1423 1424 29b5a92-29b5b14 1419->1424 1423->1416
                      APIs
                      • CreateActCtxA.KERNEL32(?), ref: 029B59C9
                      Memory Dump Source
                      • Source File: 0000000B.00000002.1749782418.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_29b0000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID: Create
                      • String ID:
                      • API String ID: 2289755597-0
                      • Opcode ID: 0175d70c95e1131b41fb6a93f6b0974b3036e58896acd564c5dddcf7f8894cff
                      • Instruction ID: 0e99879726bacae2d495f9cff0b9debff405290c70b7dc00f5850e69f0838ea8
                      • Opcode Fuzzy Hash: 0175d70c95e1131b41fb6a93f6b0974b3036e58896acd564c5dddcf7f8894cff
                      • Instruction Fuzzy Hash: D541C0B0C00719CAEB25DFA9C944BDDBBF5BF49304F60806AD409AB251DB716949CF90
                      Function 050C4040 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                      Download Yara Rule
                      APIs
                      • CallWindowProcW.USER32(?,?,?,?,?), ref: 050C4101
                      Memory Dump Source
                      • Source File: 0000000B.00000002.1755178177.00000000050C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050C0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_50c0000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID: CallProcWindow
                      • String ID:
                      • API String ID: 2714655100-0
                      • Opcode ID: bfae5badd4a2e934ec95ea2801bbe9f22ff3fba544d3b9596a949c95f60c5787
                      • Instruction ID: 1044fc06b83c6bfb2ec6452168f894a2d2cb94e9d85f4becdac6d47b52c6f810
                      • Opcode Fuzzy Hash: bfae5badd4a2e934ec95ea2801bbe9f22ff3fba544d3b9596a949c95f60c5787
                      • Instruction Fuzzy Hash: 484156B59003099FDB14CF89D848AAEBBF6FB89314F24849DD519AB321C774A841CFA0
                      Function 029B5A84 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000B.00000002.1749782418.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_29b0000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ec0f761ce10fd900311719bc8a124a7a51665ec36ea68fb9f985dca86343296a
                      • Instruction ID: 998c72ad9cd086863e57e65371403ea81fd5da3db5f2053524b244ac88e74b26
                      • Opcode Fuzzy Hash: ec0f761ce10fd900311719bc8a124a7a51665ec36ea68fb9f985dca86343296a
                      • Instruction Fuzzy Hash: 4931ADB0C04749CFEF12CFA8C9557EDBBF1AF4A318F954189C006AB251C775A94ACB01
                      Function 06DA87A9 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                      Download Yara Rule
                      APIs
                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06DA8840
                      Memory Dump Source
                      • Source File: 0000000B.00000002.1755977637.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_6da0000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID: MemoryProcessWrite
                      • String ID:
                      • API String ID: 3559483778-0
                      • Opcode ID: cbfdd69b1eb4f6c7f4c01ed8a9ff428ffce4e00119a6462ccc6cdb62a47671ac
                      • Instruction ID: 293a01c56aaca53e611ce1dfc90f55787345cfccce5853f6616a039fcab0c0c1
                      • Opcode Fuzzy Hash: cbfdd69b1eb4f6c7f4c01ed8a9ff428ffce4e00119a6462ccc6cdb62a47671ac
                      • Instruction Fuzzy Hash: AB2168B1D003499FCB10DFA9C881BDEBBF4FF48310F10842AE918A3280C7749944DBA4
                      Function 06DA87B0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                      Download Yara Rule
                      APIs
                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06DA8840
                      Memory Dump Source
                      • Source File: 0000000B.00000002.1755977637.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_6da0000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID: MemoryProcessWrite
                      • String ID:
                      • API String ID: 3559483778-0
                      • Opcode ID: aedd9b644457ec69f3bf8a4465d6b830c73c44af5881ed7a0dcd33e4c0f4989b
                      • Instruction ID: c25a6321d6cdbfe1fa39f22d6bc9682daa46b208de3a645633e04f9ec97ccb5b
                      • Opcode Fuzzy Hash: aedd9b644457ec69f3bf8a4465d6b830c73c44af5881ed7a0dcd33e4c0f4989b
                      • Instruction Fuzzy Hash: 1F2127B1D003499FCB10DFAAC885BDEBBF5FF48310F10842AE959A7281C7789954DBA4
                      Function 06DA81D8 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                      Download Yara Rule
                      APIs
                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06DA825E
                      Memory Dump Source
                      • Source File: 0000000B.00000002.1755977637.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_6da0000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID: ContextThreadWow64
                      • String ID:
                      • API String ID: 983334009-0
                      • Opcode ID: f9c85d0d9c23db0f7125c5c88bada9be3129ec71dc35772ce02e7f221f06df5b
                      • Instruction ID: f8ed2f41bdd85a3f32c3bfbe212f70ae60fac983ad026360b054c57da4e3074a
                      • Opcode Fuzzy Hash: f9c85d0d9c23db0f7125c5c88bada9be3129ec71dc35772ce02e7f221f06df5b
                      • Instruction Fuzzy Hash: 462125B19003098FDB10DFAAC4857EEBBF4EB49324F148429D459A7281CB789945CFA0
                      Function 06DA8898 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                      Download Yara Rule
                      APIs
                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06DA8920
                      Memory Dump Source
                      • Source File: 0000000B.00000002.1755977637.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_6da0000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID: MemoryProcessRead
                      • String ID:
                      • API String ID: 1726664587-0
                      • Opcode ID: 1a319038af9cd5a7499098b1573ee6b709b1a65b4a4a69330840b0ccdaa1707d
                      • Instruction ID: 9ab296dfa664f16de3669aff600a3543e7082fa1af1f9d460de9b5309eebf866
                      • Opcode Fuzzy Hash: 1a319038af9cd5a7499098b1573ee6b709b1a65b4a4a69330840b0ccdaa1707d
                      • Instruction Fuzzy Hash: F42127B19003499FDB10DFAAC845AEEFBF5FF48310F50842EE958A7281C7389945DBA5
                      Function 029BD27C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                      Download Yara Rule
                      APIs
                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,029BD656,?,?,?,?,?), ref: 029BD717
                      Memory Dump Source
                      • Source File: 0000000B.00000002.1749782418.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_29b0000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID: DuplicateHandle
                      • String ID:
                      • API String ID: 3793708945-0
                      • Opcode ID: 9f5c3d8500dd6e6f3a38d23ada032870333c6467d5ee704bc7ad399179a7e1ad
                      • Instruction ID: 11bf71d5f4704f0e560c3fa203c8422cf638be52533dcfe6a33fecfb398d923b
                      • Opcode Fuzzy Hash: 9f5c3d8500dd6e6f3a38d23ada032870333c6467d5ee704bc7ad399179a7e1ad
                      • Instruction Fuzzy Hash: 0121E5B59003489FDB10CF9AD984ADEBBF4EB49314F14841AE918B3351D374A954CFA5
                      Function 029BD689 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                      Download Yara Rule
                      APIs
                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,029BD656,?,?,?,?,?), ref: 029BD717
                      Memory Dump Source
                      • Source File: 0000000B.00000002.1749782418.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_29b0000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID: DuplicateHandle
                      • String ID:
                      • API String ID: 3793708945-0
                      • Opcode ID: 0f27fd8cc877840ce0d7e448ef4e868ae863169d4fa4a798a126ba6df69532a9
                      • Instruction ID: 1e4eb04e1a9e1aa7189c77bfa2fe42e26fe0ca6139d94bf794c34bde62bae654
                      • Opcode Fuzzy Hash: 0f27fd8cc877840ce0d7e448ef4e868ae863169d4fa4a798a126ba6df69532a9
                      • Instruction Fuzzy Hash: 892114B59002489FDB10CFAAD984ADEFFF4EB48314F10801AE918B3350C374A944CFA0
                      Function 06DA81E0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                      Download Yara Rule
                      APIs
                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06DA825E
                      Memory Dump Source
                      • Source File: 0000000B.00000002.1755977637.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_6da0000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID: ContextThreadWow64
                      • String ID:
                      • API String ID: 983334009-0
                      • Opcode ID: 8f37bce5e35710a37065ae6a31b51861514165ee9a21226d1f203ab2302f9cdc
                      • Instruction ID: 897aeb7e808f5991537d9652287b0c4575d9ea65e97c5c3a97bfb595a7109066
                      • Opcode Fuzzy Hash: 8f37bce5e35710a37065ae6a31b51861514165ee9a21226d1f203ab2302f9cdc
                      • Instruction Fuzzy Hash: 202138B1D003098FDB10DFAAC4857EEBBF4EF88324F10842AD459A7281CB789945DFA4
                      Function 06DA88A0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                      Download Yara Rule
                      APIs
                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06DA8920
                      Memory Dump Source
                      • Source File: 0000000B.00000002.1755977637.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_6da0000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID: MemoryProcessRead
                      • String ID:
                      • API String ID: 1726664587-0
                      • Opcode ID: 2c59ee5c9bdcb69f28222d5ac1b1936cea6fcb0ff63b412959555fb6650d84ad
                      • Instruction ID: 7fd0c953e6aff5855fab34a4b7aaa0ddc660ba90e2b631fa7b415fe8eb897a27
                      • Opcode Fuzzy Hash: 2c59ee5c9bdcb69f28222d5ac1b1936cea6fcb0ff63b412959555fb6650d84ad
                      • Instruction Fuzzy Hash: 542128B1C003499FCB10DFAAC845ADEFBF5FF48310F50842AE959A7240C7389944DBA5
                      Function 06DA86E8 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                      Download Yara Rule
                      APIs
                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06DA875E
                      Memory Dump Source
                      • Source File: 0000000B.00000002.1755977637.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_6da0000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID: AllocVirtual
                      • String ID:
                      • API String ID: 4275171209-0
                      • Opcode ID: 579716885a579f522b00b700689622579da99e76fc877c1df06cc534ac42e3f2
                      • Instruction ID: 7e2a614a9e86036758d4ad17948b205193f0895246cc05ec11237be78699d7fa
                      • Opcode Fuzzy Hash: 579716885a579f522b00b700689622579da99e76fc877c1df06cc534ac42e3f2
                      • Instruction Fuzzy Hash: 96215871D003499FCB10DFAAC845ADEBFF5EF89310F208419E959A7290C7759940DBA0
                      Function 029BB219 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,029BB079,00000800,00000000,00000000), ref: 029BB28A
                      Memory Dump Source
                      • Source File: 0000000B.00000002.1749782418.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_29b0000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID: LibraryLoad
                      • String ID:
                      • API String ID: 1029625771-0
                      • Opcode ID: b22ecc05af5b892d1904b79a3211250bf9171015c0cf072021b9912b0341f059
                      • Instruction ID: 99bc15f2a7258ce8ac850612984ebdb1e48b0251dcf1e43c5171ea7617dfa7bf
                      • Opcode Fuzzy Hash: b22ecc05af5b892d1904b79a3211250bf9171015c0cf072021b9912b0341f059
                      • Instruction Fuzzy Hash: 651114B6D003098FDB14CFAAC944ADEFBF4EF88714F10842AD819A7240C375A545CFA4
                      Function 029BA130 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,029BB079,00000800,00000000,00000000), ref: 029BB28A
                      Memory Dump Source
                      • Source File: 0000000B.00000002.1749782418.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_29b0000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID: LibraryLoad
                      • String ID:
                      • API String ID: 1029625771-0
                      • Opcode ID: b82f5077249164b1476549e52f578702e65510880ddd62132b8df9c85fab78d7
                      • Instruction ID: a197e88358c6a9ff399193cf4a0cdb09d38c06b147170dd874e73bef1f685fe1
                      • Opcode Fuzzy Hash: b82f5077249164b1476549e52f578702e65510880ddd62132b8df9c85fab78d7
                      • Instruction Fuzzy Hash: 2A11F2B6D003489FDB14DF9AC944ADEFBF4EF59314F10842AD919A7240C375A945CFA4
                      Function 06DA86F0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                      Download Yara Rule
                      APIs
                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06DA875E
                      Memory Dump Source
                      • Source File: 0000000B.00000002.1755977637.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_6da0000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID: AllocVirtual
                      • String ID:
                      • API String ID: 4275171209-0
                      • Opcode ID: c322c02df68f497b9594c1f3496904f9b3627b809f75940852ed35c3d15406de
                      • Instruction ID: 49373ba40da6b861fea8c21ce68631ae6aa338e5ee0542f5f8146a9b57657889
                      • Opcode Fuzzy Hash: c322c02df68f497b9594c1f3496904f9b3627b809f75940852ed35c3d15406de
                      • Instruction Fuzzy Hash: 04112671D003499FCB10DFAAC845ADEBBF5EB88324F108419E519A7290C775A954DBA0
                      Function 06DA812F Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000B.00000002.1755977637.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_6da0000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID: ResumeThread
                      • String ID:
                      • API String ID: 947044025-0
                      • Opcode ID: 0b30f35d7c749456e509694b5aac925deb0158b785e4451a24730992ce9d3d35
                      • Instruction ID: d79c8e9acb94bf213870cbecf61031371ce0b6cad11adfc6a1e68a1b9ffddc72
                      • Opcode Fuzzy Hash: 0b30f35d7c749456e509694b5aac925deb0158b785e4451a24730992ce9d3d35
                      • Instruction Fuzzy Hash: B11128B19003488FDB14DFAAC8457EEFBF5EB89324F208419D519A7280CA75A944CBA5
                      Function 06DA8130 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                      Download Yara Rule
                      APIs
                      Memory Dump Source
                      • Source File: 0000000B.00000002.1755977637.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_6da0000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID: ResumeThread
                      • String ID:
                      • API String ID: 947044025-0
                      • Opcode ID: 41e2a7ea65792adc73fe0c97531e13cf9d5e37f9fd1158aeda081391f1f00dce
                      • Instruction ID: 2bf705ee112c41979c6531c30c4193bdaecae79800e69518544135317330b507
                      • Opcode Fuzzy Hash: 41e2a7ea65792adc73fe0c97531e13cf9d5e37f9fd1158aeda081391f1f00dce
                      • Instruction Fuzzy Hash: 021128B19003488FDB14DFAAC8457AEFBF5EB89324F208419D519A7280CA75A944CB94
                      Function 06DAC548 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                      Download Yara Rule
                      APIs
                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 06DAC5AD
                      Memory Dump Source
                      • Source File: 0000000B.00000002.1755977637.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_6da0000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID: MessagePost
                      • String ID:
                      • API String ID: 410705778-0
                      • Opcode ID: 65636c5e5229959d11d8eb066d7e2d667f37ae7553a9775083a6f8e4978b1ff7
                      • Instruction ID: ebdc11447f3250118734b394a2883265ec2bac5dc5d8fc709eea6f8fffcb07fa
                      • Opcode Fuzzy Hash: 65636c5e5229959d11d8eb066d7e2d667f37ae7553a9775083a6f8e4978b1ff7
                      • Instruction Fuzzy Hash: E71113B58043499FDB50DF9AD848BDEFFF8EB49320F10841AE558A3241C374A544CFA1
                      Function 06DAA62C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                      Download Yara Rule
                      APIs
                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 06DAC5AD
                      Memory Dump Source
                      • Source File: 0000000B.00000002.1755977637.0000000006DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DA0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_6da0000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID: MessagePost
                      • String ID:
                      • API String ID: 410705778-0
                      • Opcode ID: 3219ae18ff09ff2c60868ec05c51fe161f51cb429c202cee5f447aaea5d43aed
                      • Instruction ID: 2026e1040c6b7262f1d38e36d6f5beb4db4323bda25614c8dec4923520398e28
                      • Opcode Fuzzy Hash: 3219ae18ff09ff2c60868ec05c51fe161f51cb429c202cee5f447aaea5d43aed
                      • Instruction Fuzzy Hash: 6C11F2B58143489FDB10DF9AC849BEEBBF8EB48324F10841AE558B7240C375AA44CFA1
                      Function 029BAF98 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                      Download Yara Rule
                      APIs
                      • GetModuleHandleW.KERNELBASE(00000000), ref: 029BAFFE
                      Memory Dump Source
                      • Source File: 0000000B.00000002.1749782418.00000000029B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029B0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_29b0000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID: HandleModule
                      • String ID:
                      • API String ID: 4139908857-0
                      • Opcode ID: 62fb583fceb730ac59efd1303c955b5ff15d4221e4145c4bf37e117b54dbca34
                      • Instruction ID: 6ab32acc3ac3086471d7eab9e8ccf5e4cb69422e74b2ffc0662b28db8381b84b
                      • Opcode Fuzzy Hash: 62fb583fceb730ac59efd1303c955b5ff15d4221e4145c4bf37e117b54dbca34
                      • Instruction Fuzzy Hash: 9011D2B5C003498FDB14DF9AC544ADEFBF4EF89214F10846AD829A7250D375A545CFA1
                      Function 00E6D3D8 Relevance: .1, Instructions: 75COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000B.00000002.1749104524.0000000000E6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E6D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_e6d000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5e4a56f98c55fd6bf5edd7c46b28fef552618df2f5255d983d0bad1c013aae42
                      • Instruction ID: 6d7eca0f5b65b1aac5dc6f77c6bdeba57b72bd929ffce056dd7bae497158d166
                      • Opcode Fuzzy Hash: 5e4a56f98c55fd6bf5edd7c46b28fef552618df2f5255d983d0bad1c013aae42
                      • Instruction Fuzzy Hash: 062148B1A48244DFCB01DF04EDC0B16BF65FB98364F64C568D80A5B246C736EC16C7A1
                      Function 00E7D01C Relevance: .1, Instructions: 72COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000B.00000002.1749264584.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_e7d000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 60e994a99f95efea022f6c3127234e03bdd32a3b9a83875172e89a5563496caf
                      • Instruction ID: 6fda4ab7a621f543fb9c21bae6b159bae872dc6942a8ec307bd3dec4498568a6
                      • Opcode Fuzzy Hash: 60e994a99f95efea022f6c3127234e03bdd32a3b9a83875172e89a5563496caf
                      • Instruction Fuzzy Hash: 7921D075608200DFCB15DF14DD84B26BBB6EF94318F24D96DD80E5B286C33AD807CA61
                      Function 00E7D005 Relevance: .1, Instructions: 62COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000B.00000002.1749264584.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_e7d000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 82d2078ca6a3c5067efd91f660db315a6336008d09b41b90b142be978c12eb82
                      • Instruction ID: eec07417229793456d1267a23744facf04f6b76b169be1bc768f6720de77c2a2
                      • Opcode Fuzzy Hash: 82d2078ca6a3c5067efd91f660db315a6336008d09b41b90b142be978c12eb82
                      • Instruction Fuzzy Hash: BB21507550D3808FDB12CF24D994715BF72EF46314F28C5EAD8498B6A7C33A980ACB62
                      Function 00E6D3D3 Relevance: .1, Instructions: 56COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000B.00000002.1749104524.0000000000E6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E6D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_e6d000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                      • Instruction ID: d64b5292215395ea09e261129f6013b01194202bd7d9b16a9e5f3e3f3734a1a2
                      • Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                      • Instruction Fuzzy Hash: 42112676A44240CFCB12CF00D9C4B16BF72FB94324F24C2A9D8094B256C33AE85ACBA1
                      Function 00E6D759 Relevance: .0, Instructions: 45COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000B.00000002.1749104524.0000000000E6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E6D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_e6d000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a4eadb118965e29828b65b3904d270c6647a557446130ed8141588869bce0565
                      • Instruction ID: 03bd9e46e8d0e5657caa9469b2075edce9dfc99b44d990f19b633df19d2beed6
                      • Opcode Fuzzy Hash: a4eadb118965e29828b65b3904d270c6647a557446130ed8141588869bce0565
                      • Instruction Fuzzy Hash: 6A01F771A4D3449AE7104A15EC84B66FFE8DF61369F58C81BEC092B286C339A840C672
                      Function 00E6D758 Relevance: .0, Instructions: 36COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000B.00000002.1749104524.0000000000E6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E6D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_11_2_e6d000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8ef35cf6e03b0354c1e52418aa4dec92b351dc16ff01278b0eccb87e51acfff1
                      • Instruction ID: 9e205b3f76a8fe8f5620176877ef384a9fa2faad40d2cde8cc16a00d47bec873
                      • Opcode Fuzzy Hash: 8ef35cf6e03b0354c1e52418aa4dec92b351dc16ff01278b0eccb87e51acfff1
                      • Instruction Fuzzy Hash: 95F0C2315493449EE7208E06DC84B62FFA8EF51778F18C45AED085B2C6C379A840CAB1

                      Execution Graph

                      Execution Coverage:12.6%
                      Dynamic/Decrypted Code Coverage:100%
                      Signature Coverage:0%
                      Total number of Nodes:46
                      Total number of Limit Nodes:5
                      execution_graph 26979 2e70848 26981 2e7084e 26979->26981 26980 2e7091b 26981->26980 26985 2e71370 26981->26985 26992 2e7137c 26981->26992 26999 2e71480 26981->26999 26987 2e7137e 26985->26987 26986 2e71474 26986->26981 26987->26986 26991 2e71480 GlobalMemoryStatusEx 26987->26991 27007 2e76f65 26987->27007 27011 2e77080 26987->27011 27018 2e76f68 26987->27018 26991->26987 26993 2e7137e 26992->26993 26994 2e71474 26993->26994 26995 2e76f65 GlobalMemoryStatusEx 26993->26995 26996 2e77080 GlobalMemoryStatusEx 26993->26996 26997 2e76f68 GlobalMemoryStatusEx 26993->26997 26998 2e71480 GlobalMemoryStatusEx 26993->26998 26994->26981 26995->26993 26996->26993 26997->26993 26998->26993 27001 2e71483 26999->27001 27002 2e71386 26999->27002 27000 2e71474 27000->26981 27001->26981 27002->27000 27003 2e76f65 GlobalMemoryStatusEx 27002->27003 27004 2e77080 GlobalMemoryStatusEx 27002->27004 27005 2e76f68 GlobalMemoryStatusEx 27002->27005 27006 2e71480 GlobalMemoryStatusEx 27002->27006 27003->27002 27004->27002 27005->27002 27006->27002 27009 2e76f7e 27007->27009 27008 2e770ea 27008->26987 27009->27008 27022 5d0ef0f 27009->27022 27012 2e7708a 27011->27012 27013 2e770a4 27012->27013 27015 5d0d428 GlobalMemoryStatusEx 27012->27015 27030 5d0d419 27012->27030 27014 2e770ea 27013->27014 27017 5d0ef0f GlobalMemoryStatusEx 27013->27017 27014->26987 27015->27013 27017->27014 27020 2e76f7e 27018->27020 27019 2e770ea 27019->26987 27020->27019 27021 5d0ef0f GlobalMemoryStatusEx 27020->27021 27021->27019 27023 5d0ef1a 27022->27023 27026 5d0d428 27023->27026 27025 5d0ef21 27025->27008 27028 5d0d43d 27026->27028 27027 5d0d652 27027->27025 27028->27027 27029 5d0d673 GlobalMemoryStatusEx 27028->27029 27029->27028 27032 5d0d428 27030->27032 27031 5d0d652 27031->27013 27032->27031 27033 5d0d673 GlobalMemoryStatusEx 27032->27033 27033->27032

                      Executed Functions

                      Function 02E79B40 Relevance: 2.8, Instructions: 2815COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000F.00000002.2922358607.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_15_2_2e70000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 864cecc60a36f8c0ee4e0868b5e156b1c15f7abe364a1782f61d5a3399aeafc8
                      • Instruction ID: 923c7eb6a95600a1cea299fca14fffc1ea79996c9889fea6437b68ca41cceb16
                      • Opcode Fuzzy Hash: 864cecc60a36f8c0ee4e0868b5e156b1c15f7abe364a1782f61d5a3399aeafc8
                      • Instruction Fuzzy Hash: EA53F831C10B1A8ACB51EF68C880699F7B1FF99300F15D79AE45977221FB70AAD5CB81
                      Function 02E7CDC0 Relevance: 2.3, Instructions: 2302COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000F.00000002.2922358607.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_15_2_2e70000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 443cad68f764e81a4a28a95b067d4f173d296f9ab6ada7a685e23ae94eaf0ef6
                      • Instruction ID: 05b75c01f7de719fabc85fa2cb86ae578bc4e000e13396477bbe365d0d0e9c9b
                      • Opcode Fuzzy Hash: 443cad68f764e81a4a28a95b067d4f173d296f9ab6ada7a685e23ae94eaf0ef6
                      • Instruction Fuzzy Hash: D5333E31D10B198EDB11EF68C8906ADF7B1FF99300F15D79AE458A7211EB70AAC5CB81
                      Function 02E7D16C Relevance: 1.9, Instructions: 1948COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000F.00000002.2922358607.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_15_2_2e70000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 08a99cda365b00d495be006f290e175d93efd0960136134aae4304ddf9286b9b
                      • Instruction ID: b3ca93fbb661b249197790399bf03551846322c55238e79ec119a8ad7f9e046d
                      • Opcode Fuzzy Hash: 08a99cda365b00d495be006f290e175d93efd0960136134aae4304ddf9286b9b
                      • Instruction Fuzzy Hash: 5B13FB31D10B198ACB11EF68C8946ADF7B1FF99300F15D79AE458B7221EB70AAC5CB41
                      Function 02E79BFC Relevance: .9, Instructions: 893COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000F.00000002.2922358607.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_15_2_2e70000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: fe624085a595bf918dcf22773885af8974c678b03e761e31f9ff2ed993db362b
                      • Instruction ID: a7b7a8639a8a7d2cbe2db5b610ac749673f7dae2894d0fd859dfc2c3909484a7
                      • Opcode Fuzzy Hash: fe624085a595bf918dcf22773885af8974c678b03e761e31f9ff2ed993db362b
                      • Instruction Fuzzy Hash: DEA2E631C10B1A8ADB51EF68C880699F7B1FF99300F11D79AE45977221EB70AAC5CF81
                      Function 02E741B8 Relevance: .3, Instructions: 281COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000F.00000002.2922358607.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_15_2_2e70000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b81ba52774ad08789e52c516e1c67a5899fcf7c4c99bdbe32dcccfd07487ea28
                      • Instruction ID: 029a05a9b3ea9d9ab65bb5dc45032d561ae4e38d9cd34887e63e949aa829a021
                      • Opcode Fuzzy Hash: b81ba52774ad08789e52c516e1c67a5899fcf7c4c99bdbe32dcccfd07487ea28
                      • Instruction Fuzzy Hash: FEB15C70E402099FDF10CFA9D8857EEBBF2AF88318F14D129D819A7294EB749855CF81
                      Function 02E74A88 Relevance: .3, Instructions: 266COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000F.00000002.2922358607.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_15_2_2e70000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c593a7ea433d1dd301583e3e2203f73c41e045afa1f49db6f83ecdc84d1f5d02
                      • Instruction ID: ae31a06fb029cc0e22c5197abfe0c48796f474470b6e5916f96b7dfde6d2248b
                      • Opcode Fuzzy Hash: c593a7ea433d1dd301583e3e2203f73c41e045afa1f49db6f83ecdc84d1f5d02
                      • Instruction Fuzzy Hash: B7B17C70E402098FDB14CFA9D8917EDBBF2AF89318F14D129D855E7294EB749846CF81
                      Function 02E73E70 Relevance: .2, Instructions: 238COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000F.00000002.2922358607.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_15_2_2e70000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 52d0fed412b39f7892fd4e9ab36bf8dce0e4cc1f726c75a1854b6e4a4d55def2
                      • Instruction ID: 27e43b21f25841aa32d614a29a45d8683f277590df6eee4df4c4dcd58a95cb17
                      • Opcode Fuzzy Hash: 52d0fed412b39f7892fd4e9ab36bf8dce0e4cc1f726c75a1854b6e4a4d55def2
                      • Instruction Fuzzy Hash: CE917C70E40209CFDF14DFA9D9817EEBBF2AF88308F14D129E415A7294EB749845CB91
                      Function 02E7FCD8 Relevance: 2.7, Strings: 2, Instructions: 175COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 1392 2e7fcd8-2e7fcf7 1393 2e7feb2-2e7fed6 1392->1393 1394 2e7fcfd-2e7fd06 1392->1394 1398 2e7fedd-2e7ff22 1393->1398 1394->1398 1399 2e7fd0c-2e7fd61 1394->1399 1407 2e7fd63-2e7fd88 1399->1407 1408 2e7fd8b-2e7fd94 1399->1408 1407->1408 1409 2e7fd96 1408->1409 1410 2e7fd99-2e7fda9 1408->1410 1409->1410 1441 2e7fdab call 2e7ff93 1410->1441 1442 2e7fdab call 2e7ff23 1410->1442 1413 2e7fdb1-2e7fdb3 1416 2e7fdb5-2e7fdba 1413->1416 1417 2e7fe0d-2e7fe5a 1413->1417 1418 2e7fdf3-2e7fe06 1416->1418 1419 2e7fdbc-2e7fdf1 1416->1419 1427 2e7fe61-2e7fe66 1417->1427 1418->1417 1419->1427 1428 2e7fe70-2e7fe75 1427->1428 1429 2e7fe68 1427->1429 1430 2e7fe77 1428->1430 1431 2e7fe7f-2e7fe84 1428->1431 1429->1428 1430->1431 1433 2e7fe86-2e7fe91 1431->1433 1434 2e7fe99-2e7fe9a 1431->1434 1433->1434 1434->1393 1441->1413 1442->1413
                      Strings
                      Memory Dump Source
                      • Source File: 0000000F.00000002.2922358607.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_15_2_2e70000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID: (&^q$(bq
                      • API String ID: 0-1294341849
                      • Opcode ID: da1b06501c71c82edf50faf2e2f9f39880949e48131106f73f42b28c1fd5a928
                      • Instruction ID: fc84397e563d1b885d9635730e3e946b4881585ee00dccca38767346807c5b1e
                      • Opcode Fuzzy Hash: da1b06501c71c82edf50faf2e2f9f39880949e48131106f73f42b28c1fd5a928
                      • Instruction Fuzzy Hash: 5A516F31F402598BDB15DFB9C8506AEBBB2EFC5704F248569D406AB380DF34AD46CBA1
                      Function 05D0E228 Relevance: 1.6, APIs: 1, Instructions: 133COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 2316 5d0e228-5d0e243 2317 5d0e245-5d0e26c call 5d0d3e8 2316->2317 2318 5d0e26d-5d0e28c call 5d0d3f4 2316->2318 2324 5d0e292-5d0e2f1 2318->2324 2325 5d0e28e-5d0e291 2318->2325 2332 5d0e2f3-5d0e2f6 2324->2332 2333 5d0e2f7-5d0e384 GlobalMemoryStatusEx 2324->2333 2336 5d0e386-5d0e38c 2333->2336 2337 5d0e38d-5d0e3b5 2333->2337 2336->2337
                      Memory Dump Source
                      • Source File: 0000000F.00000002.2934449084.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_15_2_5d00000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ff0ab63d4047d59594997e6de1c1cb81dc67a1d61ee78ab233dea93e455aa231
                      • Instruction ID: 99f686f2f9eabed2938a11ebcd5c1d3185d7ea2078c801bee038a5c4da3c4dad
                      • Opcode Fuzzy Hash: ff0ab63d4047d59594997e6de1c1cb81dc67a1d61ee78ab233dea93e455aa231
                      • Instruction Fuzzy Hash: F441F072D043598FCB04DFB9D8506AABFF6EF89310F0585ABD404A7391DB749844CBA0
                      Function 05D0E310 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 2340 5d0e310-5d0e34e 2341 5d0e356-5d0e384 GlobalMemoryStatusEx 2340->2341 2342 5d0e386-5d0e38c 2341->2342 2343 5d0e38d-5d0e3b5 2341->2343 2342->2343
                      APIs
                      • GlobalMemoryStatusEx.KERNELBASE(8B55055C), ref: 05D0E377
                      Memory Dump Source
                      • Source File: 0000000F.00000002.2934449084.0000000005D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D00000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_15_2_5d00000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID: GlobalMemoryStatus
                      • String ID:
                      • API String ID: 1890195054-0
                      • Opcode ID: 9a57ccb9d236923d03e8ef23c9180f6c6188b1d42723f414d5cc862fc81de1b1
                      • Instruction ID: eda194ffe2a6606821dd8b4f7d984f9d39d5c042332331c54bab1c53acbb683d
                      • Opcode Fuzzy Hash: 9a57ccb9d236923d03e8ef23c9180f6c6188b1d42723f414d5cc862fc81de1b1
                      • Instruction Fuzzy Hash: 151112B1C002599BCB10DF9AC444B9EFBF8EB48320F11816AD818A7281D778A944CFA5
                      Function 02E7F31D Relevance: 1.4, Strings: 1, Instructions: 110COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 2428 2e7f31d-2e7f34b 2432 2e7f34d-2e7f350 2428->2432 2433 2e7f373-2e7f375 2432->2433 2434 2e7f352-2e7f36e 2432->2434 2435 2e7f377 2433->2435 2436 2e7f37c-2e7f37f 2433->2436 2434->2433 2435->2436 2436->2432 2437 2e7f381-2e7f3a7 2436->2437 2443 2e7f3ae-2e7f3dc 2437->2443 2448 2e7f453-2e7f477 2443->2448 2449 2e7f3de-2e7f3e8 2443->2449 2457 2e7f481 2448->2457 2458 2e7f479 2448->2458 2452 2e7f400-2e7f451 2449->2452 2453 2e7f3ea-2e7f3f0 2449->2453 2452->2448 2452->2449 2455 2e7f3f4-2e7f3f6 2453->2455 2456 2e7f3f2 2453->2456 2455->2452 2456->2452 2460 2e7f482 2457->2460 2458->2457 2460->2460
                      Strings
                      Memory Dump Source
                      • Source File: 0000000F.00000002.2922358607.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_15_2_2e70000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID: PH^q
                      • API String ID: 0-2549759414
                      • Opcode ID: 3ce9246c80e853477eb1a3153fa99ca123648727b92449ccb5df8ea021a14fd4
                      • Instruction ID: 1ef138b23d568ca5043a4a208b16cff499ab10105159e28cd17b3691d736667f
                      • Opcode Fuzzy Hash: 3ce9246c80e853477eb1a3153fa99ca123648727b92449ccb5df8ea021a14fd4
                      • Instruction Fuzzy Hash: B231C270B44201DFDB159B34C5546AE37E2AB89304F249479D40AEB781EF39CC46CBA5
                      Function 02E7F324 Relevance: 1.4, Strings: 1, Instructions: 104COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 2466 2e7f324-2e7f34b 2468 2e7f34d-2e7f350 2466->2468 2469 2e7f373-2e7f375 2468->2469 2470 2e7f352-2e7f36e 2468->2470 2471 2e7f377 2469->2471 2472 2e7f37c-2e7f37f 2469->2472 2470->2469 2471->2472 2472->2468 2473 2e7f381-2e7f3a7 2472->2473 2479 2e7f3ae-2e7f3dc 2473->2479 2484 2e7f453-2e7f477 2479->2484 2485 2e7f3de-2e7f3e8 2479->2485 2493 2e7f481 2484->2493 2494 2e7f479 2484->2494 2488 2e7f400-2e7f451 2485->2488 2489 2e7f3ea-2e7f3f0 2485->2489 2488->2484 2488->2485 2491 2e7f3f4-2e7f3f6 2489->2491 2492 2e7f3f2 2489->2492 2491->2488 2492->2488 2496 2e7f482 2493->2496 2494->2493 2496->2496
                      Strings
                      Memory Dump Source
                      • Source File: 0000000F.00000002.2922358607.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_15_2_2e70000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID: PH^q
                      • API String ID: 0-2549759414
                      • Opcode ID: 888285fd9bff0f6b5fa92cf254f5faa84bea3483aa17c0fafc10167c11804536
                      • Instruction ID: f0b88402ceacf10103226e710e4bf12af03f1994bcd3f2ae9f9414fcb8045a13
                      • Opcode Fuzzy Hash: 888285fd9bff0f6b5fa92cf254f5faa84bea3483aa17c0fafc10167c11804536
                      • Instruction Fuzzy Hash: 3531C370B00201CFDB159B34C5546AE7BE2EB89314F249479D00AEB381EF39DC46CBA5
                      Function 02E76F68 Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 2502 2e76f68-2e76f7c 2503 2e76f7e-2e76f81 2502->2503 2504 2e76f83 call 2e7791c 2503->2504 2505 2e76f91-2e76f94 2503->2505 2508 2e76f89-2e76f8c 2504->2508 2506 2e76fc7-2e76fca 2505->2506 2507 2e76f96-2e76faa 2505->2507 2509 2e76fde-2e76fe1 2506->2509 2510 2e76fcc-2e76fd3 2506->2510 2520 2e76fb0 2507->2520 2521 2e76fac-2e76fae 2507->2521 2508->2505 2513 2e76fe3-2e77018 2509->2513 2514 2e7701d-2e7701f 2509->2514 2511 2e770db-2e770e2 2510->2511 2512 2e76fd9 2510->2512 2518 2e770e4 2511->2518 2519 2e770f1-2e770f7 2511->2519 2512->2509 2513->2514 2516 2e77026-2e77029 2514->2516 2517 2e77021 2514->2517 2516->2503 2522 2e7702f-2e7703e 2516->2522 2517->2516 2535 2e770e4 call 5d0ed70 2518->2535 2536 2e770e4 call 5d0ed60 2518->2536 2537 2e770e4 call 5d0ef0f 2518->2537 2523 2e76fb3-2e76fc2 2520->2523 2521->2523 2527 2e77040-2e77043 2522->2527 2528 2e77068-2e7707e 2522->2528 2523->2506 2524 2e770ea 2524->2519 2530 2e7704b-2e77066 2527->2530 2528->2511 2530->2527 2530->2528 2535->2524 2536->2524 2537->2524
                      Strings
                      Memory Dump Source
                      • Source File: 0000000F.00000002.2922358607.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_15_2_2e70000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID: LR^q
                      • API String ID: 0-2625958711
                      • Opcode ID: 505c70ea0c0bf476a4954db235fa8351d669cdfb3247d5cf3854a2a23545fcd1
                      • Instruction ID: 3e2ed42ef3761f03c3bc68d3ccb28ea0eb4545205a1ee44f2b5f7c277bfc209c
                      • Opcode Fuzzy Hash: 505c70ea0c0bf476a4954db235fa8351d669cdfb3247d5cf3854a2a23545fcd1
                      • Instruction Fuzzy Hash: 20315B31E402099BDB18DFA5D45479EB7B6EF85308F109829E406EB240DB71AC86CB51
                      Function 02E76F65 Relevance: 1.3, Strings: 1, Instructions: 90COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000F.00000002.2922358607.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_15_2_2e70000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID: LR^q
                      • API String ID: 0-2625958711
                      • Opcode ID: 73d7ea5491050dc0ab6e7775d5a9df928ed470b6a9a8116a8b000d43fb0475b4
                      • Instruction ID: f1b1d5f71cce3d8419c04992ad97f32269d946f880247d84323a96a473ed3de7
                      • Opcode Fuzzy Hash: 73d7ea5491050dc0ab6e7775d5a9df928ed470b6a9a8116a8b000d43fb0475b4
                      • Instruction Fuzzy Hash: 8D314B30E506099BDF29CFA5C4557AEB7B6EF85308F209429E806FB240EB71AD46CB51
                      Function 02E76B9C Relevance: 1.3, Strings: 1, Instructions: 53COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 0000000F.00000002.2922358607.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_15_2_2e70000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID: LR^q
                      • API String ID: 0-2625958711
                      • Opcode ID: 646d60e62b92e696bcc12abcb398f82da64e4d72579179b603387f38891ff948
                      • Instruction ID: da7f7a842a94de7b14e0c41ad04a548a785e700e3906b7cc3cfd031868d75977
                      • Opcode Fuzzy Hash: 646d60e62b92e696bcc12abcb398f82da64e4d72579179b603387f38891ff948
                      • Instruction Fuzzy Hash: 1D012270B042405FC70AAB3D80256AE7BF6EFCA304F1084AAD00ACB350CA354C46CBA2
                      Function 02E7791C Relevance: .6, Instructions: 550COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000F.00000002.2922358607.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_15_2_2e70000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f50c121556312e0ad2897d2ffff50c83f672aee72aa80698a668ad6e416388d4
                      • Instruction ID: d5d389c647a76e6299f9e3354485f0218809d230965a20b67381c13f383b527d
                      • Opcode Fuzzy Hash: f50c121556312e0ad2897d2ffff50c83f672aee72aa80698a668ad6e416388d4
                      • Instruction Fuzzy Hash: 87123B30B40211DFCB15BB3CE49422D76A2EBC5355F649979E00ACB7A4CF36EC968B91
                      Function 02E796E8 Relevance: .4, Instructions: 355COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000F.00000002.2922358607.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_15_2_2e70000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 582ec9837d1f535def3edd5965a9ca1397618c5ab94002c2cff33b48da1f5949
                      • Instruction ID: 9a064594c4f0cbb51479161bc78a8b6d0bd8724e28afa96b507f8098726d03f3
                      • Opcode Fuzzy Hash: 582ec9837d1f535def3edd5965a9ca1397618c5ab94002c2cff33b48da1f5949
                      • Instruction Fuzzy Hash: 5CC1AC75A402058FDF14CF68D8807AEBBB2EF88314F24C56AE409EB396DB34D845CB91
                      Function 02E7936C Relevance: .3, Instructions: 304COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000F.00000002.2922358607.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_15_2_2e70000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c6324a2d08d59a90cb0bf3feee047193e6bc12a8706c1164a978e32a2310d0c9
                      • Instruction ID: c1d35b4aca25b9c3fdc5051c84ab96f2a7614ce750e8c327c98f9686ac5b7711
                      • Opcode Fuzzy Hash: c6324a2d08d59a90cb0bf3feee047193e6bc12a8706c1164a978e32a2310d0c9
                      • Instruction Fuzzy Hash: A9B16C75A002149FCB14DFA8D594AADBBF2EF88314F24856AE406EB395DB34DC42CB51
                      Function 02E741AC Relevance: .3, Instructions: 275COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000F.00000002.2922358607.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_15_2_2e70000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 06f57fc8e815af5ee4a658887507e36a442342534caeb76b4fd0853f9f973295
                      • Instruction ID: 5a1c294cf3ca38b9f6eebdccb83a7b781cc84c2a4596690b0861e6d97a90e57b
                      • Opcode Fuzzy Hash: 06f57fc8e815af5ee4a658887507e36a442342534caeb76b4fd0853f9f973295
                      • Instruction Fuzzy Hash: ABB16A70E40259CFDB10CFA9D8857EEBBF2AF88318F14D129D819A7294EB749855CF81
                      Function 02E79374 Relevance: .2, Instructions: 236COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000F.00000002.2922358607.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_15_2_2e70000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 180966f1891ad3f7e9ddf297164de7c11f0e02f98aee1e00687e9239d4d54580
                      • Instruction ID: e7cf23896d15cfff761c2e7c1cc45bda00cadd412ee2ff51c0f6d3a5359c68dd
                      • Opcode Fuzzy Hash: 180966f1891ad3f7e9ddf297164de7c11f0e02f98aee1e00687e9239d4d54580
                      • Instruction Fuzzy Hash: 7C914C74A40114DFCB14DFA8D584AADBBF2EF88315F248569E806E73A5DB35EC42CB50
                      Function 02E79379 Relevance: .2, Instructions: 235COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000F.00000002.2922358607.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_15_2_2e70000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 844c0ed7f58005d5f2d06a0115703201b9062558d34ea76c33a7562079af99d2
                      • Instruction ID: 1ce4bb44720f333459b1364acaa82c90607e0195112ba754e31a22ee4828f1e2
                      • Opcode Fuzzy Hash: 844c0ed7f58005d5f2d06a0115703201b9062558d34ea76c33a7562079af99d2
                      • Instruction Fuzzy Hash: F6915C74A001149FCB14DFA8D594AADBBF2FF88315F248569E806EB3A5DB35EC42CB50
                      Function 02E73E6C Relevance: .2, Instructions: 233COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000F.00000002.2922358607.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_15_2_2e70000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0d4c4a72d23eeea962e2dea743c16fe8046e77ae0c020641681e97c6f35d2510
                      • Instruction ID: 9624760c66a70718e84c52f60bcd865e4b5bcd941081cf473958588f5f2b13b7
                      • Opcode Fuzzy Hash: 0d4c4a72d23eeea962e2dea743c16fe8046e77ae0c020641681e97c6f35d2510
                      • Instruction Fuzzy Hash: 16916B70E40209CFDF14DFA9D9857DEBBF2AF88308F14E129E415A7294EB749845CB91
                      Function 02E76CD8 Relevance: .1, Instructions: 132COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000F.00000002.2922358607.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_15_2_2e70000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c6e97c937c357b11987d4381faeed21b4858b1d52ea89e08a9a226f2293fc1a5
                      • Instruction ID: ebd0a43ad4fb2cc94725e55845a6e2d26575e92d4df83cb61b89a50b1ce28329
                      • Opcode Fuzzy Hash: c6e97c937c357b11987d4381faeed21b4858b1d52ea89e08a9a226f2293fc1a5
                      • Instruction Fuzzy Hash: 085123B0D106188FDB18DFAAC844B9EBBB5FF48308F149129E819BB351DB74A944CF95
                      Function 02E7FCD3 Relevance: .1, Instructions: 115COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000F.00000002.2922358607.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_15_2_2e70000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d483cbeac4eced9b8542cab00d71e37352035c06b51512fd62451ad8a32f7590
                      • Instruction ID: b4ec012d8c273f13459531a626bf9e5940dfdf02088a95bf055f6b66331df3e5
                      • Opcode Fuzzy Hash: d483cbeac4eced9b8542cab00d71e37352035c06b51512fd62451ad8a32f7590
                      • Instruction Fuzzy Hash: B6413071E402199BDB15DFA5C880BDEBBF6EF88714F249129E405B7340DB70AD46CBA1
                      Function 02E7112A Relevance: .1, Instructions: 113COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000F.00000002.2922358607.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_15_2_2e70000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 35f2972b69209933163170b5a8a5dbe9ffcdedd723d8f1563e3191af6c7c3113
                      • Instruction ID: 381b4f40a734f6e8fc56e26db28de2999f8f9e7a052fff8d6f24d29706d177c9
                      • Opcode Fuzzy Hash: 35f2972b69209933163170b5a8a5dbe9ffcdedd723d8f1563e3191af6c7c3113
                      • Instruction Fuzzy Hash: 2451B5716012A1CFC715FF6CF8909543BE2F7A13057048ABDE0066B266DB7C6D59CB92
                      Function 02E71138 Relevance: .1, Instructions: 109COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000F.00000002.2922358607.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_15_2_2e70000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f7d2f9debfa6cc7ef7ec60bd4ebdc745e3ae6ebc7b829cf50599bae96e1564ca
                      • Instruction ID: 846a9a21e88acd78a726050fb986f3e75be728e3aa870bdb71510f9dc22b0b5d
                      • Opcode Fuzzy Hash: f7d2f9debfa6cc7ef7ec60bd4ebdc745e3ae6ebc7b829cf50599bae96e1564ca
                      • Instruction Fuzzy Hash: 76519371601262CFC705FF6CF9909443BE2F7A13053449ABDE0066B266DB7C6D59CB92
                      Function 02E79A2C Relevance: .1, Instructions: 95COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000F.00000002.2922358607.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_15_2_2e70000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7eaf826667e1211f6a6d56400156bfb0479f6e4c3b06f1c3ec5bfe0024d62a4a
                      • Instruction ID: 9b3dc67b39fcea7667143558d7652d7e403fdacf929a7369d349f59e054f5a1c
                      • Opcode Fuzzy Hash: 7eaf826667e1211f6a6d56400156bfb0479f6e4c3b06f1c3ec5bfe0024d62a4a
                      • Instruction Fuzzy Hash: CF31AD71B801048FEF14CB69D995BAE7BE6EF88714F249165E505EB3A1DBB2D8008B90
                      Function 02E7F1F0 Relevance: .1, Instructions: 91COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000F.00000002.2922358607.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_15_2_2e70000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0d8877b797b442c84a927738eec0e3adcad4bfff067c89b9de986528ea131127
                      • Instruction ID: e2a1a7ca0f5900d63a78b5018d855a9b12bdb3c98067c62519b1a0ccb7af4d91
                      • Opcode Fuzzy Hash: 0d8877b797b442c84a927738eec0e3adcad4bfff067c89b9de986528ea131127
                      • Instruction Fuzzy Hash: F0313835E106059BCB19DFA9D49469EBBB2FF89304F10C529E80AE7750DB70AC46CB90
                      Function 02E726D8 Relevance: .1, Instructions: 90COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000F.00000002.2922358607.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_15_2_2e70000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: e2ca918fba56734e993aae9dd66740e93e0db32d09c4a1daa0634c5355a70699
                      • Instruction ID: c2264ca50d5c79a1821b6d19784302d19c2e792c1178ae0079e7b78ed31aa2e4
                      • Opcode Fuzzy Hash: e2ca918fba56734e993aae9dd66740e93e0db32d09c4a1daa0634c5355a70699
                      • Instruction Fuzzy Hash: 1741DEB0D0034D9FDB14DFA9C984ADEBFF5EF48314F208429E919AB250DB75A945CB90
                      Function 02E79268 Relevance: .1, Instructions: 78COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000F.00000002.2922358607.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_15_2_2e70000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 59e5d6d30257c4a1d2dce27977a4f50e04b6fd86968e298940c76050ed39e7ba
                      • Instruction ID: a0851b0533f6a2f55e19fcb9fb83cedfbf36faa469f1fe0ff7f6ecd53f112ae9
                      • Opcode Fuzzy Hash: 59e5d6d30257c4a1d2dce27977a4f50e04b6fd86968e298940c76050ed39e7ba
                      • Instruction Fuzzy Hash: 09217E31E0020A9BDB05DFA5D49469EFBB2FF89304F14C629E809AB341DB749846CB90
                      Function 02E79159 Relevance: .1, Instructions: 74COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000F.00000002.2922358607.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_15_2_2e70000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 780bc32dc919e3ebec33f4980710c9669d7af40bef760b60fb4d9d4833425dae
                      • Instruction ID: 811a934fb2df7e4af602bafdff0bd3df4198e4b5d6242db94f4ff84299a2c248
                      • Opcode Fuzzy Hash: 780bc32dc919e3ebec33f4980710c9669d7af40bef760b60fb4d9d4833425dae
                      • Instruction Fuzzy Hash: A921C131E406459FCB19DFA4D454AEEBBB2AF89304F10C51AE816B7341DB709946CB50
                      Function 02DAD124 Relevance: .1, Instructions: 72COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000F.00000002.2921630272.0000000002DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DAD000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_15_2_2dad000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: de9a9bc8e66c16ef793e7610811d3d8e5a71c7887096cd9ff63c4514dc793c77
                      • Instruction ID: f16196ae4063a8b5a68d8908e55e638280705a175ad4cc04992d5facb3b6a5b7
                      • Opcode Fuzzy Hash: de9a9bc8e66c16ef793e7610811d3d8e5a71c7887096cd9ff63c4514dc793c77
                      • Instruction Fuzzy Hash: E621F5B56042409FDB05DF14D9D4F25BBA6FB88314F24CA6DD84A4B751C33AD846CA61
                      Function 02E71370 Relevance: .1, Instructions: 71COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000F.00000002.2922358607.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_15_2_2e70000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d1f0ab154d981139e4a75dc2bb8d7845cf622b0a667f7bbc94f5efdf6ce44bcc
                      • Instruction ID: 1848e2e5284e488700864b76f59f703006978c8dfe8951ff71e8db92525c719f
                      • Opcode Fuzzy Hash: d1f0ab154d981139e4a75dc2bb8d7845cf622b0a667f7bbc94f5efdf6ce44bcc
                      • Instruction Fuzzy Hash: C4219030AC03109BDF31AB69E45436C3B66E746319F50987AE40EDF381EB389C94C792
                      Function 02E79A34 Relevance: .1, Instructions: 71COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000F.00000002.2922358607.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_15_2_2e70000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f430124f0577167a80f7d6611d667c320e6d6f841f3676afd7c658b6df6af3dc
                      • Instruction ID: 8f0c64dd1d423d77c9e77efd226ac60f9f35798c06fbd2feff4190df0fe962aa
                      • Opcode Fuzzy Hash: f430124f0577167a80f7d6611d667c320e6d6f841f3676afd7c658b6df6af3dc
                      • Instruction Fuzzy Hash: 1D219D71B501048FEB14CB69C998BAE7BF6FF88714F209065E505EB3A5DBB1CC008B90
                      Function 02E79168 Relevance: .1, Instructions: 70COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000F.00000002.2922358607.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_15_2_2e70000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a170fda6ab1211721e6f27102d57a8ec1bb1aff899ba8273b3c6d58ae1753e0c
                      • Instruction ID: faac148c55883546c0fe29d7b303b5633c5b35f61bba6ace849148bb3a5b1a80
                      • Opcode Fuzzy Hash: a170fda6ab1211721e6f27102d57a8ec1bb1aff899ba8273b3c6d58ae1753e0c
                      • Instruction Fuzzy Hash: A7219F30E40609DBCB19DFA4D854A9EF7B2BF89314F21C51AE815FB341DB70A946CB50
                      Function 02E71878 Relevance: .1, Instructions: 70COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000F.00000002.2922358607.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_15_2_2e70000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ef79ebe18528c82eed1f0a38333c698822dee4ae243d0d2194a612e0a339e61d
                      • Instruction ID: deb36c57361c23a40114e591e1deb2b1f9c01eac3453da0c0670f6e121af5545
                      • Opcode Fuzzy Hash: ef79ebe18528c82eed1f0a38333c698822dee4ae243d0d2194a612e0a339e61d
                      • Instruction Fuzzy Hash: 54211930B40319CFEB14EB68C5557AE77F6AB49245F105469D40AFB290EF3A9C01CBA1
                      Function 02E7137C Relevance: .1, Instructions: 69COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000F.00000002.2922358607.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_15_2_2e70000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: db7e66f84a787eee13aab69eba4043d481a5760cbe3f1fbefe5b47c542586f96
                      • Instruction ID: 1b184635dd2a696760f2caf6ad4ae51f326d7641307fa1a2e882f0b861442d3f
                      • Opcode Fuzzy Hash: db7e66f84a787eee13aab69eba4043d481a5760cbe3f1fbefe5b47c542586f96
                      • Instruction Fuzzy Hash: 22217F70AC03109BDF31AA69E44436C3766E74631DF50983AE40EDF381EB799C948792
                      Function 02E716A0 Relevance: .1, Instructions: 69COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000F.00000002.2922358607.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_15_2_2e70000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 951aa3e5311511ae666272f27ec0486a818c8422ef5eb517488acd9d66a16e9a
                      • Instruction ID: f7e89b8def7adde80c1292a6719256df04abbd58ddeec902768cae37d75e21a7
                      • Opcode Fuzzy Hash: 951aa3e5311511ae666272f27ec0486a818c8422ef5eb517488acd9d66a16e9a
                      • Instruction Fuzzy Hash: FC214D74A402118BDF21EA68E884B1937A6E785309F10A935E40FDB255EB7CDC858BD2
                      Function 02E74F88 Relevance: .1, Instructions: 68COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000F.00000002.2922358607.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_15_2_2e70000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: efc31ca8fa4eec7787e18cc61d2a07b1ddab9dbb2c1de5330df8a235ded1892f
                      • Instruction ID: b3c9488a8d7dc7b23fae1805152c719fc9b484192e945fb5e9455d585f625e38
                      • Opcode Fuzzy Hash: efc31ca8fa4eec7787e18cc61d2a07b1ddab9dbb2c1de5330df8a235ded1892f
                      • Instruction Fuzzy Hash: 1C211930B40214CFDB14EF79C568AAE77F2EB89345F205469E406EB3A4EB369D00CB91
                      Function 02E70848 Relevance: .1, Instructions: 62COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000F.00000002.2922358607.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_15_2_2e70000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4b9b1021a0c76171037f79574148ed530346f13bf8e420fd74394a625514add9
                      • Instruction ID: 3627dc6727d5decae23e039593984575c898c209eed632116dc228f8f559acfa
                      • Opcode Fuzzy Hash: 4b9b1021a0c76171037f79574148ed530346f13bf8e420fd74394a625514add9
                      • Instruction Fuzzy Hash: 9D11A030F902048BEF64AB79D44476E32A6EB85319F20D93AE406DF381DB75DD828BD1
                      Function 02E70838 Relevance: .1, Instructions: 62COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000F.00000002.2922358607.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_15_2_2e70000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: b020e29ac39b0c5455a55d3b325a035386cf707a4349ad6165b455ff5cb1dcb9
                      • Instruction ID: eb149b2f1d0acf6c497f40dfb04922e0f146e4a05b05ac19e29859c08b82d071
                      • Opcode Fuzzy Hash: b020e29ac39b0c5455a55d3b325a035386cf707a4349ad6165b455ff5cb1dcb9
                      • Instruction Fuzzy Hash: 6311A030F803049BFF246A79D4403AE72A6EB4231CF14D97AE406DB281DB75DD818BD2
                      Function 02E71480 Relevance: .1, Instructions: 61COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000F.00000002.2922358607.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_15_2_2e70000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: a3449ed43954b119a115400576bd0fcfafc5e19447d6512740e297b133f7c691
                      • Instruction ID: d7f0c5eadd15528c4ba3926153f2d998390849aee698487b0eda22c4e90a8446
                      • Opcode Fuzzy Hash: a3449ed43954b119a115400576bd0fcfafc5e19447d6512740e297b133f7c691
                      • Instruction Fuzzy Hash: BB117331E403158FCF65EFB994502EDBBF5EF45225B1490BAE809EB241E735C8428B91
                      Function 02E717BD Relevance: .1, Instructions: 55COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000F.00000002.2922358607.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_15_2_2e70000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 8ece725376c463d8ea5d761ac78d28e71134f446a126216ea011350b5f4d4f4a
                      • Instruction ID: 3268ae339b6425d1ff8a50459b78a6c70003fbe1bbb7ddeaeb26afea8e8ab3d4
                      • Opcode Fuzzy Hash: 8ece725376c463d8ea5d761ac78d28e71134f446a126216ea011350b5f4d4f4a
                      • Instruction Fuzzy Hash: DB110471F402118FDB11AF7998086AE7BE2FB88250F104479E90AD7340EB388952CB82
                      Function 02DAD11F Relevance: .1, Instructions: 53COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000F.00000002.2921630272.0000000002DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DAD000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_15_2_2dad000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                      • Instruction ID: 020917c7682cae9072b2fee562b9231bb8ec18b8005ece26ec37c10991d3812a
                      • Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                      • Instruction Fuzzy Hash: 0F119075504280DFDB05CF14D9D4B15BB72FB48314F24C6AED8494BB56C33AD84ACB51
                      Function 02E71488 Relevance: .1, Instructions: 53COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000F.00000002.2922358607.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_15_2_2e70000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: acccc870a34188b95df686d030fe59a9ca82434cbddb1112e6ff157260070acc
                      • Instruction ID: 0261be3ea062cfc14a6d735749e1b7308d31dca17313e8ceff334c7a9d888649
                      • Opcode Fuzzy Hash: acccc870a34188b95df686d030fe59a9ca82434cbddb1112e6ff157260070acc
                      • Instruction Fuzzy Hash: 98018431E403158FCF25EFB9844029DB7F5EF49225F149479E809EB240E735D8428B91
                      Function 02E79890 Relevance: .0, Instructions: 49COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000F.00000002.2922358607.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_15_2_2e70000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: ffaa898c03aaf1f79749038b914a06c98c3adc6186c2ad0d7d425c46d826641c
                      • Instruction ID: a88694c59a93e16775208f01fd5d24edf765d68a2ff1e0511c238cc55f16d922
                      • Opcode Fuzzy Hash: ffaa898c03aaf1f79749038b914a06c98c3adc6186c2ad0d7d425c46d826641c
                      • Instruction Fuzzy Hash: 4211D671A002048FDB05EF65D98478ABBA2FF81316F14C5A5D84C6F29AE7709D45CBA1
                      Function 02E77080 Relevance: .0, Instructions: 38COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000F.00000002.2922358607.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_15_2_2e70000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: f97e7371ea0dfc0bacf74b35a5de6b00f9bef15474c405f15fd194f5e94c979b
                      • Instruction ID: 6aa255a5a17d7ce0c0aa882110ff897724b78fe6d21f4ada4a82935f045851bc
                      • Opcode Fuzzy Hash: f97e7371ea0dfc0bacf74b35a5de6b00f9bef15474c405f15fd194f5e94c979b
                      • Instruction Fuzzy Hash: CB012435B80204CFC718DB75D458BAD77B2EB88219F5444A8E506DB3A0DB35AD92CB41
                      Function 02E796E4 Relevance: .0, Instructions: 38COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000F.00000002.2922358607.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_15_2_2e70000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0ed1ecc3e5f2ac945924c06f0ea23a861b6b1daa06b9a671b71ceb376ac8d5e6
                      • Instruction ID: bea1b56a633850c1de58f621471389fd39240105f334657ea89567bcfb410b6b
                      • Opcode Fuzzy Hash: 0ed1ecc3e5f2ac945924c06f0ea23a861b6b1daa06b9a671b71ceb376ac8d5e6
                      • Instruction Fuzzy Hash: 2DF09A76E001198BCB609EEAA9852EEBBA9EB89224F20483BD109E7241D7305A0547D2
                      Function 02E780F8 Relevance: .0, Instructions: 37COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000F.00000002.2922358607.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_15_2_2e70000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: dd94928d3c1ee80b445e75b574663f226bad2ff1c8de343abc504b25ab5df1f8
                      • Instruction ID: 9cf26aa84b416dc636c24f6d83b49fff58147c1a76eac272aaeaf2b5172d88db
                      • Opcode Fuzzy Hash: dd94928d3c1ee80b445e75b574663f226bad2ff1c8de343abc504b25ab5df1f8
                      • Instruction Fuzzy Hash: 04018B70900259DFCB01EBA8E88099D3BB2EB41305B1047E9D40A6B296DE352E82CB96
                      Function 02E71514 Relevance: .0, Instructions: 36COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000F.00000002.2922358607.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_15_2_2e70000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 0ca071948fae2a532d68e1869ef1cd8238037358558d14b11c34263ac4eeca40
                      • Instruction ID: 7c3c10944e82273bd687170acf4706c8986d1a92a3686803bd5dc655b8d1eb6d
                      • Opcode Fuzzy Hash: 0ca071948fae2a532d68e1869ef1cd8238037358558d14b11c34263ac4eeca40
                      • Instruction Fuzzy Hash: 9DF02B33A44350CBDB25CBF994901ACBBA1EF59226B18A0E7D80ADF251D334D442CB51
                      Function 02E7FF23 Relevance: .0, Instructions: 36COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000F.00000002.2922358607.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_15_2_2e70000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c7791aeff2cea401d258a0d99aecd14dba42c4a8d5e8d2a6117ad0af62bdcc45
                      • Instruction ID: 20f2494853a63e03494b3011da4bada40d498c321795be9308b05da578400e26
                      • Opcode Fuzzy Hash: c7791aeff2cea401d258a0d99aecd14dba42c4a8d5e8d2a6117ad0af62bdcc45
                      • Instruction Fuzzy Hash: 7EF0B4323002186F9B069ED89C459AF3FAFEBC8360B50402AFA09D3340CE31AD1157B5
                      Function 02E78104 Relevance: .0, Instructions: 33COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000F.00000002.2922358607.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_15_2_2e70000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 4ec5301d56180165f808ab616d5b05b39842f29f9c92e8ba5a16f8c0fbb7647a
                      • Instruction ID: f63b714c119ad2ce3464708395e56f4481112d23df8c33ad1e6a39d097b319ed
                      • Opcode Fuzzy Hash: 4ec5301d56180165f808ab616d5b05b39842f29f9c92e8ba5a16f8c0fbb7647a
                      • Instruction Fuzzy Hash: D6F08170500259DFCB10EFA8E88199D7BA6EB40305F1046E8D40A6B295DE352E428BC2
                      Function 02E78108 Relevance: .0, Instructions: 33COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000F.00000002.2922358607.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_15_2_2e70000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: edecc04ccef966b0d64e9bcaf7a721dc7e26e12e81b9841abc26c527a9ce4832
                      • Instruction ID: 01170cd1639d14c86dbd98b42d0a883314512d9c358270bd87db7547cc0480b8
                      • Opcode Fuzzy Hash: edecc04ccef966b0d64e9bcaf7a721dc7e26e12e81b9841abc26c527a9ce4832
                      • Instruction Fuzzy Hash: 93F03C74900219EFCB40FFA8E89099D7BF6EB40305F5046B8D40AA7254EE352E458BD1
                      Function 02E7FF93 Relevance: .0, Instructions: 11COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 0000000F.00000002.2922358607.0000000002E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E70000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_15_2_2e70000_dJlGycWPOpq.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7920b83835b80e5fd6f0d0ae787cc756221f256e4afa7e46998522c4da82c16c
                      • Instruction ID: 0aa9977fae48339557b032f578a744306acd55e2edfe7c0d71887fdfe6607738
                      • Opcode Fuzzy Hash: 7920b83835b80e5fd6f0d0ae787cc756221f256e4afa7e46998522c4da82c16c
                      • Instruction Fuzzy Hash: 4FC02B333048301B4309064CB407859EEECF9C8761308417FF009C3300CE20980183C4