Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
okPY77wv6E.exe

Overview

General Information

Sample name:okPY77wv6E.exe
renamed because original name is a hash value
Original sample name:f7e8acb9ce13f8754aa9fd67d3857afc.exe
Analysis ID:1462148
MD5:f7e8acb9ce13f8754aa9fd67d3857afc
SHA1:fcb487f57452a0d46c90bfcb103ebfa7e6d0a5bb
SHA256:f783322d824a009bdcdf0ecfc1065d5039bf39c67321aedb81241eba942e2b78
Tags:64exeFormbooktrojan
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
.NET source code references suspicious native API functions
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Disables UAC (registry)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Outbound SMTP Connections
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • okPY77wv6E.exe (PID: 7420 cmdline: "C:\Users\user\Desktop\okPY77wv6E.exe" MD5: F7E8ACB9CE13F8754AA9FD67D3857AFC)
    • powershell.exe (PID: 7532 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\okPY77wv6E.exe" -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7944 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • InstallUtil.exe (PID: 7572 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
    • AddInProcess32.exe (PID: 7644 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
    • AddInProcess32.exe (PID: 7652 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
    • WerFault.exe (PID: 7768 cmdline: C:\Windows\system32\WerFault.exe -u -p 7420 -s 1104 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.zoho.eu", "Username": "logs@astonherald.com", "Password": "office12#"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.2920921944.000000000316E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000004.00000002.2920921944.0000000003191000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000004.00000002.2920921944.0000000003141000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000004.00000002.2920921944.0000000003141000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.1887629897.000001F6283B4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            Click to see the 12 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.okPY77wv6E.exe.1f6383e5a60.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.okPY77wv6E.exe.1f6383e5a60.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.okPY77wv6E.exe.1f6383e5a60.2.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x33d0f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x33d81:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x33e0b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x33e9d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x33f07:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x33f79:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x3400f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x3409f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                0.2.okPY77wv6E.exe.1f6381364f0.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.okPY77wv6E.exe.1f6381364f0.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 13 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\okPY77wv6E.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\okPY77wv6E.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\okPY77wv6E.exe", ParentImage: C:\Users\user\Desktop\okPY77wv6E.exe, ParentProcessId: 7420, ParentProcessName: okPY77wv6E.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\okPY77wv6E.exe" -Force, ProcessId: 7532, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\okPY77wv6E.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\okPY77wv6E.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\okPY77wv6E.exe", ParentImage: C:\Users\user\Desktop\okPY77wv6E.exe, ParentProcessId: 7420, ParentProcessName: okPY77wv6E.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\okPY77wv6E.exe" -Force, ProcessId: 7532, ProcessName: powershell.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 185.230.214.164, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe, Initiated: true, ProcessId: 7644, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49735
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\okPY77wv6E.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\okPY77wv6E.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\okPY77wv6E.exe", ParentImage: C:\Users\user\Desktop\okPY77wv6E.exe, ParentProcessId: 7420, ParentProcessName: okPY77wv6E.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\okPY77wv6E.exe" -Force, ProcessId: 7532, ProcessName: powershell.exe

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 0.2.okPY77wv6E.exe.1f6383e5a60.2.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.zoho.eu", "Username": "logs@astonherald.com", "Password": "office12#"}
                    Multi AV Scanner detection for submitted file
                    Source: okPY77wv6E.exeReversingLabs: Detection: 57%
                    Source: okPY77wv6E.exeVirustotal: Detection: 62%Perma Link
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

                    Exploits

                    barindex
                    Yara detected UAC Bypass using CMSTP
                    Source: Yara matchFile source: 00000000.00000002.1887629897.000001F6283B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: okPY77wv6E.exe PID: 7420, type: MEMORYSTR
                    Source: okPY77wv6E.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER4E9A.tmp.dmp.8.dr
                    Source: Binary string: System.Windows.Forms.pdb source: WER4E9A.tmp.dmp.8.dr
                    Source: Binary string: mscorlib.pdb source: WER4E9A.tmp.dmp.8.dr
                    Source: Binary string: System.ni.pdbRSDS source: WER4E9A.tmp.dmp.8.dr
                    Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER4E9A.tmp.dmp.8.dr
                    Source: Binary string: System.Windows.Forms.ni.pdb source: WER4E9A.tmp.dmp.8.dr
                    Source: Binary string: System.Drawing.pdb source: WER4E9A.tmp.dmp.8.dr
                    Source: Binary string: mscorlib.ni.pdb source: WER4E9A.tmp.dmp.8.dr
                    Source: Binary string: System.Drawing.ni.pdb source: WER4E9A.tmp.dmp.8.dr
                    Source: Binary string: System.Core.pdb source: WER4E9A.tmp.dmp.8.dr
                    Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER4E9A.tmp.dmp.8.dr
                    Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER4E9A.tmp.dmp.8.dr
                    Source: Binary string: System.Drawing.ni.pdbRSDS source: WER4E9A.tmp.dmp.8.dr
                    Source: Binary string: System.ni.pdb source: WER4E9A.tmp.dmp.8.dr
                    Source: Binary string: System.pdb source: WER4E9A.tmp.dmp.8.dr
                    Source: Binary string: System.Core.ni.pdbRSDS source: WER4E9A.tmp.dmp.8.dr
                    Source: Binary string: System.Core.ni.pdb source: WER4E9A.tmp.dmp.8.dr
                    Source: Binary string: Microsoft.VisualBasic.pdb source: WER4E9A.tmp.dmp.8.dr

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.okPY77wv6E.exe.1f6383e5a60.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.okPY77wv6E.exe.1f6381364f0.0.raw.unpack, type: UNPACKEDPE
                    Source: global trafficTCP traffic: 192.168.2.4:49735 -> 185.230.214.164:587
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: Joe Sandbox ViewIP Address: 185.230.214.164 185.230.214.164
                    Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
                    Source: Joe Sandbox ViewASN Name: COMPUTERLINEComputerlineSchlierbachSwitzerlandCH COMPUTERLINEComputerlineSchlierbachSwitzerlandCH
                    Source: unknownDNS query: name: ip-api.com
                    Source: global trafficTCP traffic: 192.168.2.4:49735 -> 185.230.214.164:587
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: ip-api.com
                    Source: global trafficDNS traffic detected: DNS query: smtp.zoho.eu
                    Source: AddInProcess32.exe, 00000004.00000002.2924640541.0000000006340000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2920921944.000000000323C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2920921944.0000000003174000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2920392110.0000000001481000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2924640541.00000000063B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.thawte.com/ThawteTLSRSACAG1.crt0
                    Source: AddInProcess32.exe, 00000004.00000002.2924640541.0000000006340000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2920921944.000000000323C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2920921944.0000000003174000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2920392110.0000000001481000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2924640541.00000000063B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cdp.thawte.com/ThawteTLSRSACAG1.crl0p
                    Source: AddInProcess32.exe, 00000004.00000002.2924640541.0000000006340000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2920921944.0000000003174000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2920392110.0000000001481000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2924640541.00000000063B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0=
                    Source: AddInProcess32.exe, 00000004.00000002.2920921944.0000000003111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                    Source: okPY77wv6E.exe, 00000000.00000002.1889244475.000001F638316000.00000004.00000800.00020000.00000000.sdmp, okPY77wv6E.exe, 00000000.00000002.1889244475.000001F638136000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2919275707.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2920921944.0000000003111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                    Source: AddInProcess32.exe, 00000004.00000002.2924640541.0000000006340000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2920921944.0000000003174000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2920392110.0000000001481000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2924640541.00000000063B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0B
                    Source: AddInProcess32.exe, 00000004.00000002.2920921944.0000000003111000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: AddInProcess32.exe, 00000004.00000002.2920921944.000000000323C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2920921944.0000000003174000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://smtp.zoho.eu
                    Source: AddInProcess32.exe, 00000004.00000002.2924640541.0000000006340000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2920921944.000000000323C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2920921944.0000000003174000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2920392110.0000000001481000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2924640541.00000000063B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://status.thawte.com0:
                    Source: Amcache.hve.8.drString found in binary or memory: http://upx.sf.net
                    Source: AddInProcess32.exe, 00000004.00000002.2924640541.0000000006340000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2920921944.000000000323C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2920921944.0000000003174000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2920392110.0000000001481000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2924640541.00000000063B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                    Source: okPY77wv6E.exe, 00000000.00000002.1889244475.000001F638316000.00000004.00000800.00020000.00000000.sdmp, okPY77wv6E.exe, 00000000.00000002.1889244475.000001F638136000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2919275707.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: AddInProcess32.exe, 00000004.00000002.2924640541.0000000006340000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2920921944.0000000003174000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2920392110.0000000001481000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2924640541.00000000063B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.okPY77wv6E.exe.1f6383e5a60.2.raw.unpack, gmBpn1ecBmQ.cs.Net Code: cTytqmH
                    Source: 0.2.okPY77wv6E.exe.1f6381364f0.0.raw.unpack, gmBpn1ecBmQ.cs.Net Code: cTytqmH

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.okPY77wv6E.exe.1f6383e5a60.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.okPY77wv6E.exe.1f6381364f0.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.okPY77wv6E.exe.1f6383e5a60.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.okPY77wv6E.exe.1f6381364f0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeCode function: 0_2_00007FFD9B2B63580_2_00007FFD9B2B6358
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeCode function: 0_2_00007FFD9B2B63500_2_00007FFD9B2B6350
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeCode function: 0_2_00007FFD9B2C03350_2_00007FFD9B2C0335
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeCode function: 0_2_00007FFD9B2BB0880_2_00007FFD9B2BB088
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeCode function: 0_2_00007FFD9B2C70C30_2_00007FFD9B2C70C3
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeCode function: 0_2_00007FFD9B2BDE910_2_00007FFD9B2BDE91
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeCode function: 0_2_00007FFD9B2B46700_2_00007FFD9B2B4670
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeCode function: 0_2_00007FFD9B2B46680_2_00007FFD9B2B4668
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeCode function: 0_2_00007FFD9B2C6EF10_2_00007FFD9B2C6EF1
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeCode function: 0_2_00007FFD9B2B9B680_2_00007FFD9B2B9B68
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeCode function: 0_2_00007FFD9B2C21AF0_2_00007FFD9B2C21AF
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeCode function: 0_2_00007FFD9B2B613D0_2_00007FFD9B2B613D
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeCode function: 0_2_00007FFD9B2C6F540_2_00007FFD9B2C6F54
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeCode function: 0_2_00007FFD9B3A00000_2_00007FFD9B3A0000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_016641F04_2_016641F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0166A5684_2_0166A568
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01664AC04_2_01664AC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0166AD284_2_0166AD28
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_0166EE204_2_0166EE20
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_01663EA84_2_01663EA8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_069ACE004_2_069ACE00
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_069A24494_2_069A2449
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_069AE0884_2_069AE088
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_069B66C04_2_069B66C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_069B24304_2_069B2430
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_069B52584_2_069B5258
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_069BC2504_2_069BC250
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_069BB3004_2_069BB300
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_069B7E504_2_069B7E50
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_069B77704_2_069B7770
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_069BE4704_2_069BE470
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_069B00404_2_069B0040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_069B59C04_2_069B59C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_069B00074_2_069B0007
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7420 -s 1104
                    Source: okPY77wv6E.exeStatic PE information: No import functions for PE file found
                    Source: okPY77wv6E.exe, 00000000.00000002.1889244475.000001F638316000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename7bc3a901-84f9-4a81-8277-20a61843655f.exe4 vs okPY77wv6E.exe
                    Source: okPY77wv6E.exe, 00000000.00000002.1889244475.000001F638316000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOyaruquyor2 vs okPY77wv6E.exe
                    Source: okPY77wv6E.exe, 00000000.00000002.1889244475.000001F638136000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename7bc3a901-84f9-4a81-8277-20a61843655f.exe4 vs okPY77wv6E.exe
                    Source: okPY77wv6E.exe, 00000000.00000000.1657386764.000001F62619C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameIzemefefejifag4 vs okPY77wv6E.exe
                    Source: okPY77wv6E.exe, 00000000.00000002.1891755673.000001F640844000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs okPY77wv6E.exe
                    Source: okPY77wv6E.exe, 00000000.00000002.1891755673.000001F640844000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXEj% vs okPY77wv6E.exe
                    Source: okPY77wv6E.exeBinary or memory string: OriginalFilenameIzemefefejifag4 vs okPY77wv6E.exe
                    Source: 0.2.okPY77wv6E.exe.1f6383e5a60.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.okPY77wv6E.exe.1f6381364f0.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.okPY77wv6E.exe.1f6383e5a60.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.okPY77wv6E.exe.1f6381364f0.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: okPY77wv6E.exe, ----.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.okPY77wv6E.exe.1f6383e5a60.2.raw.unpack, roEs93G.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.okPY77wv6E.exe.1f6383e5a60.2.raw.unpack, roEs93G.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.okPY77wv6E.exe.1f6383e5a60.2.raw.unpack, JQn0Aia1.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.okPY77wv6E.exe.1f6383e5a60.2.raw.unpack, JQn0Aia1.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.okPY77wv6E.exe.1f6383e5a60.2.raw.unpack, YsrmZ97b.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.okPY77wv6E.exe.1f6383e5a60.2.raw.unpack, YsrmZ97b.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.okPY77wv6E.exe.1f6383e5a60.2.raw.unpack, YsrmZ97b.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.okPY77wv6E.exe.1f6383e5a60.2.raw.unpack, YsrmZ97b.csCryptographic APIs: 'TransformFinalBlock'
                    Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@12/10@2/2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMutant created: NULL
                    Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7420
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7540:120:WilError_03
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lvwbra0s.qvk.ps1Jump to behavior
                    Source: okPY77wv6E.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: okPY77wv6E.exeReversingLabs: Detection: 57%
                    Source: okPY77wv6E.exeVirustotal: Detection: 62%
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeFile read: C:\Users\user\Desktop\okPY77wv6E.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\okPY77wv6E.exe "C:\Users\user\Desktop\okPY77wv6E.exe"
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\okPY77wv6E.exe" -Force
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7420 -s 1104
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\okPY77wv6E.exe" -ForceJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: okPY77wv6E.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: okPY77wv6E.exeStatic file information: File size 2574910 > 1048576
                    Source: okPY77wv6E.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: okPY77wv6E.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER4E9A.tmp.dmp.8.dr
                    Source: Binary string: System.Windows.Forms.pdb source: WER4E9A.tmp.dmp.8.dr
                    Source: Binary string: mscorlib.pdb source: WER4E9A.tmp.dmp.8.dr
                    Source: Binary string: System.ni.pdbRSDS source: WER4E9A.tmp.dmp.8.dr
                    Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER4E9A.tmp.dmp.8.dr
                    Source: Binary string: System.Windows.Forms.ni.pdb source: WER4E9A.tmp.dmp.8.dr
                    Source: Binary string: System.Drawing.pdb source: WER4E9A.tmp.dmp.8.dr
                    Source: Binary string: mscorlib.ni.pdb source: WER4E9A.tmp.dmp.8.dr
                    Source: Binary string: System.Drawing.ni.pdb source: WER4E9A.tmp.dmp.8.dr
                    Source: Binary string: System.Core.pdb source: WER4E9A.tmp.dmp.8.dr
                    Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER4E9A.tmp.dmp.8.dr
                    Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER4E9A.tmp.dmp.8.dr
                    Source: Binary string: System.Drawing.ni.pdbRSDS source: WER4E9A.tmp.dmp.8.dr
                    Source: Binary string: System.ni.pdb source: WER4E9A.tmp.dmp.8.dr
                    Source: Binary string: System.pdb source: WER4E9A.tmp.dmp.8.dr
                    Source: Binary string: System.Core.ni.pdbRSDS source: WER4E9A.tmp.dmp.8.dr
                    Source: Binary string: System.Core.ni.pdb source: WER4E9A.tmp.dmp.8.dr
                    Source: Binary string: Microsoft.VisualBasic.pdb source: WER4E9A.tmp.dmp.8.dr
                    Source: okPY77wv6E.exeStatic PE information: 0xD0D9C084 [Sun Jan 12 18:18:44 2081 UTC]
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeCode function: 0_2_00007FFD9B2BAD68 push eax; iretd 0_2_00007FFD9B2C1D7A
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeCode function: 0_2_00007FFD9B3A0000 push esp; retf 4810h0_2_00007FFD9B3A0312
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeCode function: 0_2_00007FFD9B3A1B21 pushad ; retf 0_2_00007FFD9B3A1B41

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: okPY77wv6E.exe PID: 7420, type: MEMORYSTR
                    Check if machine is in data center or colocation facility
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: okPY77wv6E.exe, 00000000.00000002.1887629897.000001F6283B4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                    Source: okPY77wv6E.exe, 00000000.00000002.1889244475.000001F638316000.00000004.00000800.00020000.00000000.sdmp, okPY77wv6E.exe, 00000000.00000002.1889244475.000001F638136000.00000004.00000800.00020000.00000000.sdmp, okPY77wv6E.exe, 00000000.00000002.1887629897.000001F6283B4000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2920921944.0000000003141000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2919275707.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeMemory allocated: 1F6264D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeMemory allocated: 1F63FEB0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 1620000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 3110000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 1780000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7126Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2515Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWindow / User API: threadDelayed 2489Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWindow / User API: threadDelayed 7349Jump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7848Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7892Thread sleep count: 34 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7892Thread sleep time: -31359464925306218s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7892Thread sleep time: -200000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7896Thread sleep count: 2489 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7892Thread sleep time: -199780s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7892Thread sleep time: -99778s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7892Thread sleep time: -99672s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7892Thread sleep time: -99562s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7892Thread sleep time: -99453s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7892Thread sleep time: -99344s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7896Thread sleep count: 7349 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7892Thread sleep time: -99219s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7892Thread sleep time: -99109s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7892Thread sleep time: -98997s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7892Thread sleep time: -98873s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7892Thread sleep time: -98757s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7892Thread sleep time: -98512s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7892Thread sleep time: -98406s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7892Thread sleep time: -98297s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7892Thread sleep time: -98188s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7892Thread sleep time: -98063s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7892Thread sleep time: -97938s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7892Thread sleep time: -97827s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7892Thread sleep time: -97715s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7892Thread sleep time: -97609s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7892Thread sleep time: -97500s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7892Thread sleep time: -97391s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7892Thread sleep time: -97266s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7892Thread sleep time: -97156s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7892Thread sleep time: -97047s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7892Thread sleep time: -96938s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7892Thread sleep time: -96808s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7892Thread sleep time: -96703s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7892Thread sleep time: -96594s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7892Thread sleep time: -96469s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7892Thread sleep time: -96359s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7892Thread sleep time: -99781s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7892Thread sleep time: -99671s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7892Thread sleep time: -99546s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7892Thread sleep time: -99430s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7892Thread sleep time: -99327s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7892Thread sleep time: -99218s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7892Thread sleep time: -99108s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7892Thread sleep time: -98999s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7892Thread sleep time: -98890s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7892Thread sleep time: -98781s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7892Thread sleep time: -98670s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7892Thread sleep time: -98561s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7892Thread sleep time: -98452s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7892Thread sleep time: -98343s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7892Thread sleep time: -98234s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7892Thread sleep time: -98124s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7892Thread sleep time: -98015s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 99890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 99778Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 99672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 99562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 99453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 99344Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 99219Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 99109Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 98997Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 98873Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 98757Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 98512Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 98406Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 98297Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 98188Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 98063Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 97938Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 97827Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 97715Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 97609Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 97500Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 97391Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 97266Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 97156Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 97047Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 96938Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 96808Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 96703Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 96594Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 96469Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 96359Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 99781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 99671Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 99546Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 99430Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 99327Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 99218Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 99108Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 98999Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 98890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 98781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 98670Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 98561Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 98452Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 98343Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 98234Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 98124Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 98015Jump to behavior
                    Source: Amcache.hve.8.drBinary or memory string: VMware
                    Source: Amcache.hve.8.drBinary or memory string: VMware Virtual USB Mouse
                    Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin
                    Source: Amcache.hve.8.drBinary or memory string: VMware, Inc.
                    Source: okPY77wv6E.exe, 00000000.00000002.1887629897.000001F6283B4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                    Source: Amcache.hve.8.drBinary or memory string: VMware20,1hbin@
                    Source: Amcache.hve.8.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                    Source: Amcache.hve.8.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: Amcache.hve.8.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.8.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: okPY77wv6E.exe, 00000000.00000002.1887629897.000001F6283B4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                    Source: okPY77wv6E.exe, 00000000.00000002.1887629897.000001F6283B4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
                    Source: Amcache.hve.8.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                    Source: okPY77wv6E.exe, 00000000.00000002.1887629897.000001F6283B4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                    Source: okPY77wv6E.exe, 00000000.00000002.1887629897.000001F6283B4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                    Source: Amcache.hve.8.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                    Source: Amcache.hve.8.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                    Source: AddInProcess32.exe, 00000004.00000002.2924640541.0000000006340000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: Amcache.hve.8.drBinary or memory string: vmci.sys
                    Source: Amcache.hve.8.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                    Source: okPY77wv6E.exe, 00000000.00000002.1887629897.000001F6283B4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
                    Source: Amcache.hve.8.drBinary or memory string: vmci.syshbin`
                    Source: AddInProcess32.exe, 00000004.00000002.2919275707.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: Amcache.hve.8.drBinary or memory string: \driver\vmci,\driver\pci
                    Source: okPY77wv6E.exe, 00000000.00000002.1887629897.000001F6283B4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
                    Source: okPY77wv6E.exe, 00000000.00000002.1887629897.000001F6283B4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                    Source: Amcache.hve.8.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                    Source: Amcache.hve.8.drBinary or memory string: VMware20,1
                    Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Generation Counter
                    Source: Amcache.hve.8.drBinary or memory string: NECVMWar VMware SATA CD00
                    Source: Amcache.hve.8.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                    Source: Amcache.hve.8.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                    Source: Amcache.hve.8.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                    Source: Amcache.hve.8.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                    Source: Amcache.hve.8.drBinary or memory string: VMware PCI VMCI Bus Device
                    Source: okPY77wv6E.exe, 00000000.00000002.1887629897.000001F6283B4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
                    Source: okPY77wv6E.exe, 00000000.00000002.1887629897.000001F6283B4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
                    Source: Amcache.hve.8.drBinary or memory string: VMware VMCI Bus Device
                    Source: Amcache.hve.8.drBinary or memory string: VMware Virtual RAM
                    Source: Amcache.hve.8.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                    Source: AddInProcess32.exe, 00000004.00000002.2919275707.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: VMwareVBox
                    Source: Amcache.hve.8.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4_2_016670B0 CheckRemoteDebuggerPresent,4_2_016670B0
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    .NET source code references suspicious native API functions
                    Source: okPY77wv6E.exe, ----.csReference to suspicious API methods: GetProcAddress(_0606_FBB5_FD4A_FD41_FBC7, _FDE8_FDE2_FDFC)
                    Source: okPY77wv6E.exe, ----.csReference to suspicious API methods: VirtualProtect(_06E0_FD3F_FDE2_FDD9_0670_FBC9_FBBC_FBCA_FDE3, (uint)_065C_06E4, (uint)_FDDB_FDFC_FDD4_FDE1_06E7_FDE7, out _FDCA_FD43)
                    Source: okPY77wv6E.exe, ----.csReference to suspicious API methods: LoadLibrary(_06DB(._FDD6_06FD_064D_FBB7))
                    Source: 0.2.okPY77wv6E.exe.1f6383e5a60.2.raw.unpack, eFaPC.csReference to suspicious API methods: uegqtUwBmt.OpenProcess(zwYjuxQUnSG.DuplicateHandle, bInheritHandle: true, (uint)fAFQ.ProcessID)
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\okPY77wv6E.exe" -Force
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\okPY77wv6E.exe" -ForceJump to behavior
                    Allocates memory in foreign processes
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 440000Jump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 442000Jump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: EE3008Jump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\okPY77wv6E.exe" -ForceJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeQueries volume information: C:\Users\user\Desktop\okPY77wv6E.exe VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Lowering of HIPS / PFW / Operating System Security Settings

                    barindex
                    Disables UAC (registry)
                    Source: C:\Users\user\Desktop\okPY77wv6E.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUAJump to behavior
                    Source: Amcache.hve.8.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                    Source: Amcache.hve.8.drBinary or memory string: msmpeng.exe
                    Source: Amcache.hve.8.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                    Source: Amcache.hve.8.drBinary or memory string: MsMpEng.exe

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.okPY77wv6E.exe.1f6383e5a60.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.okPY77wv6E.exe.1f6381364f0.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.okPY77wv6E.exe.1f6383e5a60.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.okPY77wv6E.exe.1f6381364f0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000002.2920921944.000000000316E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2920921944.0000000003191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2920921944.0000000003141000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2919275707.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1889244475.000001F638136000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1889244475.000001F638316000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: okPY77wv6E.exe PID: 7420, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 7644, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 0.2.okPY77wv6E.exe.1f6383e5a60.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.okPY77wv6E.exe.1f6381364f0.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.okPY77wv6E.exe.1f6383e5a60.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.okPY77wv6E.exe.1f6381364f0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000002.2920921944.0000000003141000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2919275707.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1889244475.000001F638136000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1889244475.000001F638316000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: okPY77wv6E.exe PID: 7420, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 7644, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.okPY77wv6E.exe.1f6383e5a60.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.okPY77wv6E.exe.1f6381364f0.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.okPY77wv6E.exe.1f6383e5a60.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.okPY77wv6E.exe.1f6381364f0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000002.2920921944.000000000316E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2920921944.0000000003191000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2920921944.0000000003141000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2919275707.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1889244475.000001F638136000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1889244475.000001F638316000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: okPY77wv6E.exe PID: 7420, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 7644, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts231
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		21
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Native API                    		Boot or Logon Initialization Scripts311
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    Input Capture                    		34
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		1
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		541
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                    Timestomp                    		NTDS1
                    Process Discovery                    		Distributed Component Object Model1
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets261
                    Virtualization/Sandbox Evasion                    		SSHKeylogging12
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts261
                    Virtualization/Sandbox Evasion                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items311
                    Process Injection                    		DCSync1
                    System Network Configuration Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1462148 Sample: okPY77wv6E.exe Startdate: 25/06/2024 Architecture: WINDOWS Score: 100 28 smtp.zoho.eu 2->28 30 ip-api.com 2->30 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 9 other signatures 2->42 8 okPY77wv6E.exe 1 3 2->8         started        signatures3 process4 signatures5 44 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->44 46 Writes to foreign memory regions 8->46 48 Allocates memory in foreign processes 8->48 50 3 other signatures 8->50 11 AddInProcess32.exe 14 2 8->11         started        15 powershell.exe 23 8->15         started        17 WerFault.exe 19 16 8->17         started        20 2 other processes 8->20 process6 dnsIp7 32 ip-api.com 208.95.112.1, 49731, 80 TUT-ASUS United States 11->32 34 smtp.zoho.eu 185.230.214.164, 49735, 49741, 587 COMPUTERLINEComputerlineSchlierbachSwitzerlandCH Netherlands 11->34 52 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->52 54 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 11->54 56 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->56 60 4 other signatures 11->60 58 Loading BitLocker PowerShell Module 15->58 22 WmiPrvSE.exe 15->22         started        24 conhost.exe 15->24         started        26 C:\ProgramData\Microsoft\...\Report.wer, Unicode 17->26 dropped file8 signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    okPY77wv6E.exe58%ReversingLabsWin64.Spyware.Negasteal
                    okPY77wv6E.exe62%VirustotalBrowse

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    smtp.zoho.eu0%VirustotalBrowse
                    ip-api.com0%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://upx.sf.net0%URL Reputationsafe
                    http://upx.sf.net0%URL Reputationsafe
                    https://account.dyn.com/0%URL Reputationsafe
                    https://account.dyn.com/0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://ip-api.com/line/?fields=hosting0%URL Reputationsafe
                    http://ip-api.com0%URL Reputationsafe
                    http://status.thawte.com0:0%Avira URL Cloudsafe
                    http://cdp.thawte.com/ThawteTLSRSACAG1.crl0p0%VirustotalBrowse
                    http://cdp.thawte.com/ThawteTLSRSACAG1.crl0p0%Avira URL Cloudsafe
                    http://cacerts.thawte.com/ThawteTLSRSACAG1.crt00%VirustotalBrowse
                    http://cacerts.thawte.com/ThawteTLSRSACAG1.crt00%Avira URL Cloudsafe
                    http://smtp.zoho.eu0%Avira URL Cloudsafe
                    http://smtp.zoho.eu0%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    smtp.zoho.eu
                    		185.230.214.164
                    		truetrueunknown
                    ip-api.com
                    		208.95.112.1
                    		truetrueunknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://ip-api.com/line/?fields=hostingfalse
                    • URL Reputation: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://upx.sf.netAmcache.hve.8.drfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    https://account.dyn.com/okPY77wv6E.exe, 00000000.00000002.1889244475.000001F638316000.00000004.00000800.00020000.00000000.sdmp, okPY77wv6E.exe, 00000000.00000002.1889244475.000001F638136000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2919275707.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    		unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameAddInProcess32.exe, 00000004.00000002.2920921944.0000000003111000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://cacerts.thawte.com/ThawteTLSRSACAG1.crt0AddInProcess32.exe, 00000004.00000002.2924640541.0000000006340000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2920921944.000000000323C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2920921944.0000000003174000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2920392110.0000000001481000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2924640541.00000000063B3000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://cdp.thawte.com/ThawteTLSRSACAG1.crl0pAddInProcess32.exe, 00000004.00000002.2924640541.0000000006340000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2920921944.000000000323C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2920921944.0000000003174000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2920392110.0000000001481000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2924640541.00000000063B3000.00000004.00000020.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://status.thawte.com0:AddInProcess32.exe, 00000004.00000002.2924640541.0000000006340000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2920921944.000000000323C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2920921944.0000000003174000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2920392110.0000000001481000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2924640541.00000000063B3000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://smtp.zoho.euAddInProcess32.exe, 00000004.00000002.2920921944.000000000323C000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2920921944.0000000003174000.00000004.00000800.00020000.00000000.sdmpfalse
                    • 0%, Virustotal, Browse
                    • Avira URL Cloud: safe
                    		unknown
                    http://ip-api.comAddInProcess32.exe, 00000004.00000002.2920921944.0000000003111000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    208.95.112.1
                    		ip-api.comUnited States
                    		53334TUT-ASUStrue
                    185.230.214.164
                    		smtp.zoho.euNetherlands
                    		41913COMPUTERLINEComputerlineSchlierbachSwitzerlandCHtrue

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1462148
                    Start date and time:2024-06-25 07:18:33 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 6m 25s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:19
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:okPY77wv6E.exe
                    renamed because original name is a hash value
                    Original Sample Name:f7e8acb9ce13f8754aa9fd67d3857afc.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.expl.evad.winEXE@12/10@2/2
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 90%
                    • Number of executed functions: 81
                    • Number of non-executed functions: 8
                    Cookbook Comments:
                    • Found application associated with file extension: .exe

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, MoUsoCoreWorker.exe, svchost.exe
                    • Excluded IPs from analysis (whitelisted): 20.42.65.92
                    • Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size getting too big, too many NtCreateKey calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtSetInformationFile calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    01:19:33API Interceptor22x Sleep call for process: powershell.exe modified
                    01:19:34API Interceptor62x Sleep call for process: AddInProcess32.exe modified
                    01:19:45API Interceptor1x Sleep call for process: WerFault.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    208.95.112.1Quotation.exeGet hashmaliciousAgentTeslaBrowse
                    • ip-api.com/line/?fields=hosting
                    Cosco_RFQ_June_.exeGet hashmaliciousAgentTeslaBrowse
                    • ip-api.com/line/?fields=hosting
                    division.exeGet hashmaliciousBlank GrabberBrowse
                    • ip-api.com/json/?fields=225545
                    QUOTATION PT INDONESIA.pdf.exeGet hashmaliciousAgentTeslaBrowse
                    • ip-api.com/line/?fields=hosting
                    Payroll List or Salary List.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                    • ip-api.com/line/?fields=hosting
                    wssvZm9dNK.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                    • ip-api.com/line/?fields=hosting
                    RobloxCheats.exeGet hashmaliciousUnknownBrowse
                    • ip-api.com/xml/?fields=countryCode,query
                    Applikationsprograms.exeGet hashmaliciousGuLoaderBrowse
                    • ip-api.com/line/?fields=hosting
                    doc20240624-00073.bat.exeGet hashmaliciousAgentTeslaBrowse
                    • ip-api.com/line/?fields=hosting
                    FC4311009.exeGet hashmaliciousAgentTeslaBrowse
                    • ip-api.com/line/?fields=hosting
                    185.230.214.164RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeGet hashmaliciousAgentTeslaBrowse
                      RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRYs.exeGet hashmaliciousGuLoaderBrowse
                        RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeGet hashmaliciousAgentTeslaBrowse
                          INQUIRY#46789_MAY24_PLANEX_SERVICES_CONTRACTING_GOODS.exeGet hashmaliciousAgentTeslaBrowse
                            VBG dk Payment Receipt --doc87349281.batGet hashmaliciousRemcos, AgentTesla, DBatLoaderBrowse

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              ip-api.comQuotation.exeGet hashmaliciousAgentTeslaBrowse
                              • 208.95.112.1
                              Cosco_RFQ_June_.exeGet hashmaliciousAgentTeslaBrowse
                              • 208.95.112.1
                              division.exeGet hashmaliciousBlank GrabberBrowse
                              • 208.95.112.1
                              QUOTATION PT INDONESIA.pdf.exeGet hashmaliciousAgentTeslaBrowse
                              • 208.95.112.1
                              Payroll List or Salary List.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                              • 208.95.112.1
                              wssvZm9dNK.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                              • 208.95.112.1
                              SecuriteInfo.com.Program.Unwanted.5466.21892.3406.exeGet hashmaliciousUnknownBrowse
                              • 51.77.64.70
                              SecuriteInfo.com.Program.Unwanted.5466.21892.3406.exeGet hashmaliciousUnknownBrowse
                              • 51.77.64.70
                              RobloxCheats.exeGet hashmaliciousUnknownBrowse
                              • 208.95.112.1
                              Applikationsprograms.exeGet hashmaliciousGuLoaderBrowse
                              • 208.95.112.1
                              smtp.zoho.euRFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeGet hashmaliciousAgentTeslaBrowse
                              • 185.230.214.164
                              RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRYs.exeGet hashmaliciousGuLoaderBrowse
                              • 185.230.214.164
                              RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeGet hashmaliciousAgentTeslaBrowse
                              • 185.230.214.164
                              INQUIRY#46789_MAY24_PLANEX_SERVICES_CONTRACTING_GOODS.exeGet hashmaliciousAgentTeslaBrowse
                              • 185.230.214.164
                              VBG dk Payment Receipt --doc87349281.batGet hashmaliciousRemcos, AgentTesla, DBatLoaderBrowse
                              • 185.230.214.164
                              RFQ_on_SAK-TC233L-32F200N_INFINEON_PN_PHARMA.pdf.exeGet hashmaliciousAgentTeslaBrowse
                              • 89.36.170.164
                              1qwF1J2Njh.exeGet hashmaliciousAgentTeslaBrowse
                              • 185.230.212.164
                              N8USBRwo0Z.exeGet hashmaliciousAgentTeslaBrowse
                              • 89.36.170.164
                              PURCHASE_ORDER.exeGet hashmaliciousAgentTesla, zgRATBrowse
                              • 89.36.170.164
                              New Enquiry List.exeGet hashmaliciousAgentTeslaBrowse
                              • 185.20.209.164

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              COMPUTERLINEComputerlineSchlierbachSwitzerlandCHhttps://bitbucket.oreaillyauto.com/Get hashmaliciousUnknownBrowse
                              • 185.230.212.52
                              https://show.zohopublic.com/publish/lbdok4d17ed2d1eb14856a7e4d9247a9cebd4Get hashmaliciousHtmlDropper, HTMLPhisherBrowse
                              • 89.36.170.147
                              c5018a3915e8a9de41e083f7936c2d232b9a73ba41c8c07fb7b2d90d5f5d8e8e_dump.exeGet hashmaliciousSystemBCBrowse
                              • 185.230.212.166
                              http://workdrive.zohopublic.eu/file/efe6bcb0201f3a92140adacc604376ceb2b52Get hashmaliciousUnknownBrowse
                              • 185.230.212.52
                              RFQ678903423_PROD_HASUE_de_Mexicso_MAT_MEX.exeGet hashmaliciousAgentTeslaBrowse
                              • 185.230.214.164
                              http://isme-zcmp.campaign-view.euGet hashmaliciousUnknownBrowse
                              • 185.230.212.52
                              https://www.junglegstring.com/?wysija-page=1&controller=confirm&wysija-key=1c37c08e0ea53fdc22a8bedc342b6a0e&action=subscribe&wysijap=subscriptions&wysiconf=WyIxIl0=Get hashmaliciousUnknownBrowse
                              • 89.36.170.147
                              RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRYs.exeGet hashmaliciousGuLoaderBrowse
                              • 185.230.214.164
                              RFQ678903423_PROD_INQUIRY_SHANG_NOG_INDUSTRY.exeGet hashmaliciousAgentTeslaBrowse
                              • 185.230.214.164
                              INQUIRY#46789_MAY24_PLANEX_SERVICES_CONTRACTING_GOODS.exeGet hashmaliciousAgentTeslaBrowse
                              • 185.230.214.164
                              TUT-ASUSQuotation.exeGet hashmaliciousAgentTeslaBrowse
                              • 208.95.112.1
                              Cosco_RFQ_June_.exeGet hashmaliciousAgentTeslaBrowse
                              • 208.95.112.1
                              division.exeGet hashmaliciousBlank GrabberBrowse
                              • 208.95.112.1
                              QUOTATION PT INDONESIA.pdf.exeGet hashmaliciousAgentTeslaBrowse
                              • 208.95.112.1
                              Payroll List or Salary List.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                              • 208.95.112.1
                              wssvZm9dNK.exeGet hashmaliciousPXRECVOWEIWOEI StealerBrowse
                              • 208.95.112.1
                              RobloxCheats.exeGet hashmaliciousUnknownBrowse
                              • 208.95.112.1
                              Applikationsprograms.exeGet hashmaliciousGuLoaderBrowse
                              • 208.95.112.1
                              doc20240624-00073.bat.exeGet hashmaliciousAgentTeslaBrowse
                              • 208.95.112.1
                              FC4311009.exeGet hashmaliciousAgentTeslaBrowse
                              • 208.95.112.1

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_okPY77wv6E.exe_dd69ad81de2b664749ce2ad867207b2325e08c_49634452_109a36c9-8c09-448d-b249-5185dd4cff59\Report.wer

                              Download File
                              Process:C:\Windows\System32\WerFault.exe
                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):65536
                              Entropy (8bit):1.1701034471055014
                              Encrypted:false
                              SSDEEP:384:b1oh9EjRINUnUDjlammKTIzuiFvY4lO8/cH9:JSRUnUlavzuiFvY4lO8/
                              MD5:6B14BEA38C41946DECE308D8388FF12C
                              SHA1:1CD7FE884D9939450412BE570C43CF0B46E370B8
                              SHA-256:D3DB3464D172EEDEAAEE28C168FCA2EC45E2735CA1B0D96A33CB6A3530830BE8
                              SHA-512:C0512BE180E019D223964FB11AD1C2818AAA2D0ADF24F3F0EA8E12DF6E7692A82BCEDCA842ED4C9C9F42598B29ED42D2B89881EB3EEB9D92FB204DDD8A5D87ED
                              Malicious:true
                              Reputation:low
                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.3.7.6.6.3.7.3.0.3.1.3.8.2.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.3.7.6.6.3.7.4.2.5.0.1.3.1.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.0.9.a.3.6.c.9.-.8.c.0.9.-.4.4.8.d.-.b.2.4.9.-.5.1.8.5.d.d.4.c.f.f.5.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.1.e.6.0.f.1.9.-.8.5.d.c.-.4.1.d.a.-.a.9.0.7.-.8.1.a.a.7.7.7.2.d.5.5.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.o.k.P.Y.7.7.w.v.6.E...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.I.z.e.m.e.f.e.f.e.j.i.f.a.g.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.f.c.-.0.0.0.1.-.0.0.1.4.-.1.b.f.e.-.2.5.3.d.b.f.c.6.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.e.0.9.0.0.3.e.a.7.1.d.b.b.f.8.4.6.9.8.a.b.5.a.1.0.9.8.4.6.a.0.0.0.0.0.0.0.0.0.!.0.0.0.0.f.c.b.4.8.7.f.5.7.4.5.2.a.0.d.4.6.c.9.0.b.f.c.b.1.0.3.e.b.f.a.7.e.6.d.0.a.5.b.b.!.o.k.P.Y.7.7.w.v.

                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER4E9A.tmp.dmp

                              Download File
                              Process:C:\Windows\System32\WerFault.exe
                              File Type:Mini DuMP crash report, 16 streams, Tue Jun 25 05:19:33 2024, 0x1205a4 type
                              Category:dropped
                              Size (bytes):459263
                              Entropy (8bit):3.3149614087098462
                              Encrypted:false
                              SSDEEP:3072:uwi7RrjqZL9UtuWobL+GrsV5TFejv4iT4cSnIb1CCqNEiFk/3+vz0nXfIc7:uwG8fbLxrfzwgqG/3Qcv
                              MD5:584788C4CDD8E578FA5F60B96D6A9317
                              SHA1:47FCFBC70EF52AE8A60A60214342A01E1A2EDAED
                              SHA-256:298056D98AE8856DBC36FC783854A71F27F786065ACE99E40B79C08D42215FAF
                              SHA-512:A3E56C80E799924AD68A656D00B653D0488CFFE3862EAE552D81A911070C74DC7DC943C554497F16472A81B5AA2112D951DEB6F236A71727CA8FCA097B28D0EB
                              Malicious:false
                              Reputation:low
                              Preview:MDMP..a..... .......eSzf............D...............d.......$...@%..........d%......dN..............l.......8...........T...........x8..............\D..........HF..............................................................................eJ.......F......Lw......................T...........ZSzf.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER50EC.tmp.WERInternalMetadata.xml

                              Download File
                              Process:C:\Windows\System32\WerFault.exe
                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):8610
                              Entropy (8bit):3.7095184967746877
                              Encrypted:false
                              SSDEEP:192:R6l7wVeJ0ejXK2iW6Y9ulE1y7gmfix6JHprG89bC6zJfc12m:R6lXJ0wXGW6YWE87gmfixiVC+Jfct
                              MD5:C43F4E95278729271BDFD165F1ADD4FF
                              SHA1:BEA57584254FCE09F70D3C355F93FAA36A25A2B3
                              SHA-256:406219F0AE683A117D188A50D3617A28175B50687CE47E9DD8E76BB2E8ECE228
                              SHA-512:A5703BA2DB9A76CF5CAA0308DEA49C2652F0A4F26BBA17927A3EA07D3835D4B21BBBA0A29591B3C9D41C70CEF05E287A914BC45012D22C25C1A011711527AD6D
                              Malicious:false
                              Reputation:low
                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.2.0.<./.P.i.

                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER511C.tmp.xml

                              Download File
                              Process:C:\Windows\System32\WerFault.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):4764
                              Entropy (8bit):4.516277392542658
                              Encrypted:false
                              SSDEEP:48:cvIwWl8zswiJg771I9sHWpW8VYSVYm8M4JuqAFFPyq85Drx5xaK7k/d:uIjfVI7f27V8Jou5EK7k/d
                              MD5:1D1262847BBC583A0FAE132A8497AAC6
                              SHA1:027DA07A9550669EABF888F90B5A3E8530A94FC8
                              SHA-256:A6841E2421EC9ECD123A98BFE2EFD306BB93CE867F2ED550D3BC20F34D15F3F6
                              SHA-512:ABD882CA165C3AFDC9334A999D85A601E623EFF67E4298FB0B8853BC2DB6B6C55BE551D2CF20A272CCE60BFB69B32860DFD779D8B7E3B02E0C66713C4752AA6D
                              Malicious:false
                              Reputation:low
                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="382822" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):64
                              Entropy (8bit):1.1940658735648508
                              Encrypted:false
                              SSDEEP:3:NlllulVmdtZ:NllUM
                              MD5:013016A37665E1E37F0A3576A8EC8324
                              SHA1:260F55EC88E3C4D384658F3C18C7FDEF202E47DD
                              SHA-256:20C6A3C78E9B98F92B0F0AA8C338FF0BAC1312CBBFE5E65D4C940B828AC92FD8
                              SHA-512:99063E180730047A4408E3EF8ABBE1C53DEC1DF04469DFA98666308F60F8E35DEBF7E32066FE0DD1055E1181167061B3512EEE4FE72D0CD3D174E3378BA62ED8
                              Malicious:false
                              Reputation:moderate, very likely benign file
                              Preview:@...e................................................@..........

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_14cxeinp.vis.ps1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bj1tcc03.24k.psm1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lvwbra0s.qvk.ps1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_txz5zs3d.qlk.psm1

                              Download File
                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Windows\appcompat\Programs\Amcache.hve

                              Download File
                              Process:C:\Windows\System32\WerFault.exe
                              File Type:MS Windows registry file, NT/2000 or above
                              Category:dropped
                              Size (bytes):1835008
                              Entropy (8bit):4.46599927356455
                              Encrypted:false
                              SSDEEP:6144:nIXfpi67eLPU9skLmb0b4lWSPKaJG8nAgejZMMhA2gX4WABl0uNHdwBCswSbt:IXD94lWlLZMM6YFHp+t
                              MD5:A2938CAD4B8AD6E51007664E87C49F01
                              SHA1:9A6E46382C503FA5E19363954B83D67D10863B85
                              SHA-256:59D57C423BBA8A82DCA8A692983BE86A8026902C423D0ECEFBA4A0DEFF31BC73
                              SHA-512:6075A24FA64AC0C6E00C943DACC41EB3C282D73EDEA77D8D1CF918DB08C056BB1604E390402817FBEB53F760E7F352E5BB0404CC2F45B2649BC42527745D38DF
                              Malicious:false
                              Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..$C.................................................................................................................................................................................................................................................................................................................................................@2w........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              Static File Info

                              General

                              File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                              Entropy (8bit):4.781243154103778
                              TrID:
                              • Win64 Executable GUI (202006/5) 92.65%
                              • Win64 Executable (generic) (12005/4) 5.51%
                              • Generic Win/DOS Executable (2004/3) 0.92%
                              • DOS Executable Generic (2002/1) 0.92%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:okPY77wv6E.exe
                              File size:2'574'910 bytes
                              MD5:f7e8acb9ce13f8754aa9fd67d3857afc
                              SHA1:fcb487f57452a0d46c90bfcb103ebfa7e6d0a5bb
                              SHA256:f783322d824a009bdcdf0ecfc1065d5039bf39c67321aedb81241eba942e2b78
                              SHA512:8aba0e4145436ee6892b703a82b050066be14d9925acf1a5fa5a07b73ded9cee63fa3c939c11df20382cf14ee9e40b3502e9244c6d03810d3892e2159ae95cee
                              SSDEEP:12288:Gza40RpKLO43mMyivZ30yV/4+Rr/2JyIVSztHDhbh7:GzaXnW9Z5ZEyd4E+TVSDbF
                              TLSH:92C50125B98F6E23FC5559B8D5C231F520FC8E6336FA8A0FCF886CA588064BC6471975
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................."...0.................. ....@...... ....................................`................................

                              File Icon

                              Icon Hash:90cececece8e8eb0

                              Static PE Info

                              General

                              Entrypoint:0x400000
                              Entrypoint Section:
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                              Time Stamp:0xD0D9C084 [Sun Jan 12 18:18:44 2081 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:4
                              OS Version Minor:0
                              File Version Major:4
                              File Version Minor:0
                              Subsystem Version Major:4
                              Subsystem Version Minor:0
                              Import Hash:

                              Entrypoint Preview

                              Instruction
                              dec ebp
                              pop edx
                              nop
                              add byte ptr [ebx], al
                              add byte ptr [eax], al
                              add byte ptr [eax+eax], al
                              add byte ptr [eax], al

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000xa5c.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                              IMAGE_DIRECTORY_ENTRY_DEBUG0xa3ee0x1c.text
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x20000x840a0x8600561e8c127062bc58e3e756a86798ae02False0.6247084888059702data6.210660255469935IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .rsrc0xc0000xa5c0xc008630c3cad2c15e0b9210e15651c3cca2False0.2718098958333333data4.399411186580208IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_VERSION0xc0b80x3dcdata0.48785425101214575
                              RT_VERSION0xc4940x3dcdataEnglishUnited States0.4898785425101215
                              RT_MANIFEST0xc8700x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                              Possible Origin

                              Language of compilation systemCountry where language is spokenMap
                              EnglishUnited States

                              Network Behavior

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Jun 25, 2024 07:19:33.915981054 CEST4973180192.168.2.4208.95.112.1
                              Jun 25, 2024 07:19:33.920809031 CEST8049731208.95.112.1192.168.2.4
                              Jun 25, 2024 07:19:33.920939922 CEST4973180192.168.2.4208.95.112.1
                              Jun 25, 2024 07:19:33.921252012 CEST4973180192.168.2.4208.95.112.1
                              Jun 25, 2024 07:19:33.926126957 CEST8049731208.95.112.1192.168.2.4
                              Jun 25, 2024 07:19:34.399688005 CEST8049731208.95.112.1192.168.2.4
                              Jun 25, 2024 07:19:34.443121910 CEST4973180192.168.2.4208.95.112.1
                              Jun 25, 2024 07:19:35.441621065 CEST49735587192.168.2.4185.230.214.164
                              Jun 25, 2024 07:19:35.446619034 CEST58749735185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:35.446711063 CEST49735587192.168.2.4185.230.214.164
                              Jun 25, 2024 07:19:36.035181046 CEST58749735185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:36.035440922 CEST49735587192.168.2.4185.230.214.164
                              Jun 25, 2024 07:19:36.040611029 CEST58749735185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:36.656028032 CEST58749735185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:36.656546116 CEST49735587192.168.2.4185.230.214.164
                              Jun 25, 2024 07:19:36.661459923 CEST58749735185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:36.845633984 CEST58749735185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:36.875844955 CEST49735587192.168.2.4185.230.214.164
                              Jun 25, 2024 07:19:36.880947113 CEST58749735185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:37.066138029 CEST58749735185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:37.066167116 CEST58749735185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:37.066184044 CEST58749735185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:37.066257954 CEST49735587192.168.2.4185.230.214.164
                              Jun 25, 2024 07:19:37.072114944 CEST49735587192.168.2.4185.230.214.164
                              Jun 25, 2024 07:19:37.077028990 CEST58749735185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:37.261548042 CEST58749735185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:37.274847031 CEST49735587192.168.2.4185.230.214.164
                              Jun 25, 2024 07:19:37.280846119 CEST58749735185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:37.465204954 CEST58749735185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:37.568115950 CEST49735587192.168.2.4185.230.214.164
                              Jun 25, 2024 07:19:37.594046116 CEST58749735185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:37.595403910 CEST49735587192.168.2.4185.230.214.164
                              Jun 25, 2024 07:19:37.600348949 CEST58749735185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:37.784514904 CEST58749735185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:37.784883976 CEST49735587192.168.2.4185.230.214.164
                              Jun 25, 2024 07:19:37.789726019 CEST58749735185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:38.047271967 CEST58749735185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:38.047606945 CEST49735587192.168.2.4185.230.214.164
                              Jun 25, 2024 07:19:38.055079937 CEST58749735185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:38.237353086 CEST58749735185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:38.237843990 CEST49735587192.168.2.4185.230.214.164
                              Jun 25, 2024 07:19:38.242748022 CEST58749735185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:38.426798105 CEST58749735185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:38.427056074 CEST49735587192.168.2.4185.230.214.164
                              Jun 25, 2024 07:19:38.431870937 CEST58749735185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:38.617779970 CEST58749735185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:38.620081902 CEST49735587192.168.2.4185.230.214.164
                              Jun 25, 2024 07:19:38.620224953 CEST49735587192.168.2.4185.230.214.164
                              Jun 25, 2024 07:19:38.620265007 CEST49735587192.168.2.4185.230.214.164
                              Jun 25, 2024 07:19:38.620321035 CEST49735587192.168.2.4185.230.214.164
                              Jun 25, 2024 07:19:38.625107050 CEST58749735185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:38.625124931 CEST58749735185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:38.625139952 CEST58749735185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:38.625185013 CEST58749735185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:39.125454903 CEST58749735185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:39.177489996 CEST49735587192.168.2.4185.230.214.164
                              Jun 25, 2024 07:19:39.195745945 CEST49735587192.168.2.4185.230.214.164
                              Jun 25, 2024 07:19:39.200675964 CEST58749735185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:39.384459972 CEST58749735185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:39.384784937 CEST58749735185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:39.384848118 CEST49735587192.168.2.4185.230.214.164
                              Jun 25, 2024 07:19:39.384893894 CEST58749735185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:39.384941101 CEST49735587192.168.2.4185.230.214.164
                              Jun 25, 2024 07:19:39.388569117 CEST49735587192.168.2.4185.230.214.164
                              Jun 25, 2024 07:19:39.389667034 CEST49741587192.168.2.4185.230.214.164
                              Jun 25, 2024 07:19:39.394500017 CEST58749741185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:39.394637108 CEST49741587192.168.2.4185.230.214.164
                              Jun 25, 2024 07:19:39.982156038 CEST58749741185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:39.982345104 CEST49741587192.168.2.4185.230.214.164
                              Jun 25, 2024 07:19:39.987309933 CEST58749741185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:40.171780109 CEST58749741185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:40.171967030 CEST49741587192.168.2.4185.230.214.164
                              Jun 25, 2024 07:19:40.176851034 CEST58749741185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:40.361232996 CEST58749741185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:40.361867905 CEST49741587192.168.2.4185.230.214.164
                              Jun 25, 2024 07:19:40.366868019 CEST58749741185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:40.566828012 CEST58749741185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:40.567970037 CEST49741587192.168.2.4185.230.214.164
                              Jun 25, 2024 07:19:40.572815895 CEST58749741185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:40.573952913 CEST49741587192.168.2.4185.230.214.164
                              Jun 25, 2024 07:19:40.578821898 CEST58749741185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:40.890695095 CEST58749741185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:40.943089008 CEST49741587192.168.2.4185.230.214.164
                              Jun 25, 2024 07:19:41.022150040 CEST58749741185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:41.022434950 CEST49741587192.168.2.4185.230.214.164
                              Jun 25, 2024 07:19:41.027489901 CEST58749741185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:41.211503983 CEST58749741185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:41.211935043 CEST49741587192.168.2.4185.230.214.164
                              Jun 25, 2024 07:19:41.216860056 CEST58749741185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:41.443295956 CEST58749741185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:41.443567038 CEST49741587192.168.2.4185.230.214.164
                              Jun 25, 2024 07:19:41.448463917 CEST58749741185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:41.633522987 CEST58749741185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:41.633764029 CEST49741587192.168.2.4185.230.214.164
                              Jun 25, 2024 07:19:41.638746977 CEST58749741185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:41.822794914 CEST58749741185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:41.823025942 CEST49741587192.168.2.4185.230.214.164
                              Jun 25, 2024 07:19:41.827842951 CEST58749741185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:42.011852026 CEST58749741185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:42.013465881 CEST49741587192.168.2.4185.230.214.164
                              Jun 25, 2024 07:19:42.013577938 CEST49741587192.168.2.4185.230.214.164
                              Jun 25, 2024 07:19:42.013622046 CEST49741587192.168.2.4185.230.214.164
                              Jun 25, 2024 07:19:42.013658047 CEST49741587192.168.2.4185.230.214.164
                              Jun 25, 2024 07:19:42.013842106 CEST49741587192.168.2.4185.230.214.164
                              Jun 25, 2024 07:19:42.013906002 CEST49741587192.168.2.4185.230.214.164
                              Jun 25, 2024 07:19:42.013958931 CEST49741587192.168.2.4185.230.214.164
                              Jun 25, 2024 07:19:42.013958931 CEST49741587192.168.2.4185.230.214.164
                              Jun 25, 2024 07:19:42.013993025 CEST49741587192.168.2.4185.230.214.164
                              Jun 25, 2024 07:19:42.018558025 CEST58749741185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:42.018570900 CEST58749741185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:42.018589973 CEST58749741185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:42.018599033 CEST58749741185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:42.018706083 CEST58749741185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:42.018716097 CEST58749741185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:42.018754005 CEST58749741185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:42.018769026 CEST58749741185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:42.018877029 CEST58749741185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:42.018887043 CEST58749741185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:42.018894911 CEST58749741185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:42.018917084 CEST58749741185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:42.503385067 CEST58749741185.230.214.164192.168.2.4
                              Jun 25, 2024 07:19:42.552455902 CEST49741587192.168.2.4185.230.214.164
                              Jun 25, 2024 07:20:25.443378925 CEST4973180192.168.2.4208.95.112.1
                              Jun 25, 2024 07:20:25.448616028 CEST8049731208.95.112.1192.168.2.4
                              Jun 25, 2024 07:20:25.448681116 CEST4973180192.168.2.4208.95.112.1
                              Jun 25, 2024 07:21:15.459245920 CEST49741587192.168.2.4185.230.214.164
                              Jun 25, 2024 07:21:15.465224028 CEST58749741185.230.214.164192.168.2.4
                              Jun 25, 2024 07:21:15.790391922 CEST58749741185.230.214.164192.168.2.4
                              Jun 25, 2024 07:21:15.790409088 CEST58749741185.230.214.164192.168.2.4
                              Jun 25, 2024 07:21:15.790419102 CEST58749741185.230.214.164192.168.2.4
                              Jun 25, 2024 07:21:15.790421963 CEST58749741185.230.214.164192.168.2.4
                              Jun 25, 2024 07:21:15.790615082 CEST49741587192.168.2.4185.230.214.164
                              Jun 25, 2024 07:21:15.791073084 CEST49741587192.168.2.4185.230.214.164

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Jun 25, 2024 07:19:33.886574984 CEST5706053192.168.2.41.1.1.1
                              Jun 25, 2024 07:19:33.893965006 CEST53570601.1.1.1192.168.2.4
                              Jun 25, 2024 07:19:35.433325052 CEST5729753192.168.2.41.1.1.1
                              Jun 25, 2024 07:19:35.440752029 CEST53572971.1.1.1192.168.2.4

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              Jun 25, 2024 07:19:33.886574984 CEST192.168.2.41.1.1.10x8c3Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                              Jun 25, 2024 07:19:35.433325052 CEST192.168.2.41.1.1.10x5d28Standard query (0)smtp.zoho.euA (IP address)IN (0x0001)false

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Jun 25, 2024 07:19:33.893965006 CEST1.1.1.1192.168.2.40x8c3No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                              Jun 25, 2024 07:19:35.440752029 CEST1.1.1.1192.168.2.40x5d28No error (0)smtp.zoho.eu185.230.214.164A (IP address)IN (0x0001)false

                              HTTP Request Dependency Graph

                              • ip-api.com

                              HTTP Packets

                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.449731208.95.112.1807644C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                              TimestampBytes transferredDirectionData
                              Jun 25, 2024 07:19:33.921252012 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                              Host: ip-api.com
                              Connection: Keep-Alive
                              Jun 25, 2024 07:19:34.399688005 CEST175INHTTP/1.1 200 OK
                              Date: Tue, 25 Jun 2024 05:19:33 GMT
                              Content-Type: text/plain; charset=utf-8
                              Content-Length: 6
                              Access-Control-Allow-Origin: *
                              X-Ttl: 60
                              X-Rl: 44
                              Data Raw: 66 61 6c 73 65 0a
                              Data Ascii: false


                              SMTP Packets

                              TimestampSource PortDest PortSource IPDest IPCommands
                              Jun 25, 2024 07:19:36.035181046 CEST58749735185.230.214.164192.168.2.4220 mx.zoho.eu SMTP Server ready June 25, 2024 7:19:35 AM CEST
                              Jun 25, 2024 07:19:36.035440922 CEST49735587192.168.2.4185.230.214.164EHLO 141700
                              Jun 25, 2024 07:19:36.656028032 CEST58749735185.230.214.164192.168.2.4250-mx.zoho.eu Hello 141700 (8.46.123.33 (8.46.123.33))
                              250-STARTTLS
                              250 SIZE 53477376
                              Jun 25, 2024 07:19:36.656546116 CEST49735587192.168.2.4185.230.214.164STARTTLS
                              Jun 25, 2024 07:19:36.845633984 CEST58749735185.230.214.164192.168.2.4220 Ready to start TLS.
                              Jun 25, 2024 07:19:39.982156038 CEST58749741185.230.214.164192.168.2.4220 mx.zoho.eu SMTP Server ready June 25, 2024 7:19:39 AM CEST
                              Jun 25, 2024 07:19:39.982345104 CEST49741587192.168.2.4185.230.214.164EHLO 141700
                              Jun 25, 2024 07:19:40.171780109 CEST58749741185.230.214.164192.168.2.4250-mx.zoho.eu Hello 141700 (8.46.123.33 (8.46.123.33))
                              250-STARTTLS
                              250 SIZE 53477376
                              Jun 25, 2024 07:19:40.171967030 CEST49741587192.168.2.4185.230.214.164STARTTLS
                              Jun 25, 2024 07:19:40.361232996 CEST58749741185.230.214.164192.168.2.4220 Ready to start TLS.

                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:01:19:22
                              Start date:25/06/2024
                              Path:C:\Users\user\Desktop\okPY77wv6E.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Users\user\Desktop\okPY77wv6E.exe"
                              Imagebase:0x1f626190000
                              File size:2'574'910 bytes
                              MD5 hash:F7E8ACB9CE13F8754AA9FD67D3857AFC
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1887629897.000001F6283B4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1889244475.000001F638136000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1889244475.000001F638136000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1889244475.000001F638316000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1889244475.000001F638316000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:1
                              Start time:01:19:31
                              Start date:25/06/2024
                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\okPY77wv6E.exe" -Force
                              Imagebase:0x7ff788560000
                              File size:452'608 bytes
                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:2
                              Start time:01:19:31
                              Start date:25/06/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff7699e0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:3
                              Start time:01:19:31
                              Start date:25/06/2024
                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                              Wow64 process (32bit):
                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                              Imagebase:
                              File size:42'064 bytes
                              MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:moderate
                              Has exited:false

                              General

                              Target ID:4
                              Start time:01:19:32
                              Start date:25/06/2024
                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                              Imagebase:0xd90000
                              File size:43'008 bytes
                              MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2920921944.000000000316E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2920921944.0000000003191000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2920921944.0000000003141000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2920921944.0000000003141000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2919275707.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2919275707.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:moderate
                              Has exited:false

                              General

                              Target ID:5
                              Start time:01:19:32
                              Start date:25/06/2024
                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                              Imagebase:0x490000
                              File size:43'008 bytes
                              MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:moderate
                              Has exited:true

                              General

                              Target ID:8
                              Start time:01:19:32
                              Start date:25/06/2024
                              Path:C:\Windows\System32\WerFault.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Windows\system32\WerFault.exe -u -p 7420 -s 1104
                              Imagebase:0xc90000
                              File size:570'736 bytes
                              MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:9
                              Start time:01:19:35
                              Start date:25/06/2024
                              Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                              Imagebase:0x7ff693ab0000
                              File size:496'640 bytes
                              MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                              Has elevated privileges:true
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:11.4%
                                Dynamic/Decrypted Code Coverage:100%
                                Signature Coverage:0%
                                Total number of Nodes:3
                                Total number of Limit Nodes:0
                                execution_graph 14612 7ffd9b2b528a 14613 7ffd9b2b5299 VirtualProtect 14612->14613 14615 7ffd9b2b5371 14613->14615

                                Executed Functions

                                Function 00007FFD9B2C0335 Relevance: 4.9, Strings: 2, Instructions: 2353COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1892522961.00007FFD9B2B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B2B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b2b0000_okPY77wv6E.jbxd
                                Similarity
                                • API ID:
                                • String ID: x67$x67
                                • API String ID: 0-2997797448
                                • Opcode ID: 97b00604ad832e758bfaeac76aa84c9e32fc918287a64b5cc30f151141b6b117
                                • Instruction ID: 0dd04911f4acc1d7b1d58b72862819320fa86bfb729585c13154298c0b429abc
                                • Opcode Fuzzy Hash: 97b00604ad832e758bfaeac76aa84c9e32fc918287a64b5cc30f151141b6b117
                                • Instruction Fuzzy Hash: 1DF29B3060DB894FE329DB28C4A14B6B7E1FF85301B1546BED4CAC72A6DE35E946C781
                                Function 00007FFD9B2B6358 Relevance: 3.1, Strings: 2, Instructions: 573COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 571 7ffd9b2b6358-7ffd9b2b6425 590 7ffd9b2b6427-7ffd9b2b6428 571->590 591 7ffd9b2b6475-7ffd9b2b64ae 571->591 592 7ffd9b2b6429-7ffd9b2b6444 590->592 593 7ffd9b2b6726-7ffd9b2b6759 591->593 594 7ffd9b2b64b4-7ffd9b2b6511 591->594 599 7ffd9b2b6446-7ffd9b2b6474 592->599 606 7ffd9b2b675b-7ffd9b2b6762 593->606 607 7ffd9b2b6763-7ffd9b2b677e 593->607 620 7ffd9b2b6513-7ffd9b2b6524 call 7ffd9b2b5eb8 594->620 599->591 606->607 611 7ffd9b2b6780-7ffd9b2b6782 607->611 612 7ffd9b2b67b2-7ffd9b2b67e1 607->612 613 7ffd9b2b678c-7ffd9b2b6792 611->613 614 7ffd9b2b6784-7ffd9b2b6787 call 7ffd9b2b5f88 611->614 625 7ffd9b2b67e4-7ffd9b2b681a 612->625 617 7ffd9b2b6794-7ffd9b2b67a0 613->617 618 7ffd9b2b67a1-7ffd9b2b67b1 613->618 614->613 617->618 626 7ffd9b2b6529-7ffd9b2b6540 620->626 625->625 627 7ffd9b2b681c 625->627 629 7ffd9b2b65a2-7ffd9b2b65b5 626->629 630 7ffd9b2b65b7-7ffd9b2b65b9 629->630 631 7ffd9b2b6542-7ffd9b2b65a0 call 7ffd9b2b6120 * 2 call 7ffd9b2b6128 629->631 633 7ffd9b2b6612-7ffd9b2b6625 630->633 631->629 635 7ffd9b2b6627-7ffd9b2b6629 633->635 636 7ffd9b2b65bb-7ffd9b2b6610 call 7ffd9b2b6120 * 2 call 7ffd9b2b0230 633->636 639 7ffd9b2b66ce-7ffd9b2b66e1 635->639 636->633 640 7ffd9b2b66e7-7ffd9b2b6725 639->640 641 7ffd9b2b662e-7ffd9b2b6660 call 7ffd9b2b6120 639->641 653 7ffd9b2b667a-7ffd9b2b667b 641->653 654 7ffd9b2b6662-7ffd9b2b6678 641->654 655 7ffd9b2b667d-7ffd9b2b669c call 7ffd9b2b4668 653->655 654->655 663 7ffd9b2b66a1-7ffd9b2b66c7 call 7ffd9b2b5f90 655->663 665 7ffd9b2b66cc 663->665 665->639
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1892522961.00007FFD9B2B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B2B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b2b0000_okPY77wv6E.jbxd
                                Similarity
                                • API ID:
                                • String ID: fish$N_I
                                • API String ID: 0-3715900172
                                • Opcode ID: 895dac0d87775fd5887b39572a107bc8562b3681b4a047325dd8b6b0f3dfc064
                                • Instruction ID: d8a2fedfb9002704a154443f6ef72a7f93057cba7da37418795e18fb237511ab
                                • Opcode Fuzzy Hash: 895dac0d87775fd5887b39572a107bc8562b3681b4a047325dd8b6b0f3dfc064
                                • Instruction Fuzzy Hash: 08F19E32B1EA990FE72D9A689825575B7E1EF93350B0501BFD08AC71E7ED18ED028781
                                Function 00007FFD9B2BDE91 Relevance: 2.2, Strings: 1, Instructions: 907COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1245 7ffd9b2bde91-7ffd9b2bdecb 1247 7ffd9b2bdf5c-7ffd9b2bdf6f 1245->1247 1248 7ffd9b2bded1-7ffd9b2bdf16 call 7ffd9b2bcf70 call 7ffd9b2b9270 1245->1248 1252 7ffd9b2bdfb1-7ffd9b2bdfb4 1247->1252 1253 7ffd9b2bdf71-7ffd9b2bdf89 1247->1253 1248->1247 1261 7ffd9b2bdf18-7ffd9b2bdf36 1248->1261 1257 7ffd9b2be056-7ffd9b2be067 1252->1257 1258 7ffd9b2bdfb5-7ffd9b2bdfd1 1252->1258 1255 7ffd9b2bdf8b-7ffd9b2bdfaf 1253->1255 1256 7ffd9b2bdfd3-7ffd9b2bdfea call 7ffd9b2b9270 call 7ffd9b2b99d0 1253->1256 1255->1252 1256->1257 1273 7ffd9b2bdfec-7ffd9b2bdffe 1256->1273 1265 7ffd9b2be0a9-7ffd9b2be0b6 1257->1265 1266 7ffd9b2be069-7ffd9b2be077 1257->1266 1258->1256 1261->1247 1264 7ffd9b2bdf38-7ffd9b2bdf5b 1261->1264 1270 7ffd9b2be0bc-7ffd9b2be0cf 1265->1270 1271 7ffd9b2be153-7ffd9b2be161 1265->1271 1268 7ffd9b2be07a 1266->1268 1272 7ffd9b2be07b-7ffd9b2be089 1268->1272 1274 7ffd9b2be0d3-7ffd9b2be0f5 call 7ffd9b2bcf70 1270->1274 1282 7ffd9b2be166-7ffd9b2be184 1271->1282 1283 7ffd9b2be163-7ffd9b2be165 1271->1283 1272->1274 1280 7ffd9b2be08b-7ffd9b2be08e 1272->1280 1273->1268 1281 7ffd9b2be000 1273->1281 1274->1271 1284 7ffd9b2be0f7-7ffd9b2be109 1274->1284 1285 7ffd9b2be092-7ffd9b2be0a8 1280->1285 1286 7ffd9b2be046-7ffd9b2be055 1281->1286 1287 7ffd9b2be002-7ffd9b2be00a 1281->1287 1291 7ffd9b2be185-7ffd9b2be189 1282->1291 1283->1282 1284->1291 1294 7ffd9b2be10b 1284->1294 1285->1265 1287->1272 1290 7ffd9b2be00c-7ffd9b2be011 1287->1290 1290->1285 1295 7ffd9b2be013-7ffd9b2be034 call 7ffd9b2b9610 1290->1295 1292 7ffd9b2be18b-7ffd9b2be1b6 1291->1292 1293 7ffd9b2be1d3-7ffd9b2be213 call 7ffd9b2bcf70 * 2 call 7ffd9b2b9270 1291->1293 1296 7ffd9b2be2ac-7ffd9b2be2bf 1292->1296 1297 7ffd9b2be1bc-7ffd9b2be1d0 1292->1297 1293->1296 1323 7ffd9b2be219-7ffd9b2be24c 1293->1323 1299 7ffd9b2be10d-7ffd9b2be12b call 7ffd9b2b9610 1294->1299 1300 7ffd9b2be151-7ffd9b2be152 1294->1300 1295->1257 1305 7ffd9b2be036-7ffd9b2be044 1295->1305 1310 7ffd9b2be301 1296->1310 1311 7ffd9b2be2c1-7ffd9b2be2d6 1296->1311 1297->1293 1299->1271 1312 7ffd9b2be12d-7ffd9b2be150 1299->1312 1305->1286 1316 7ffd9b2be302-7ffd9b2be309 1310->1316 1314 7ffd9b2be2d8 1311->1314 1315 7ffd9b2be30b-7ffd9b2be30e 1311->1315 1312->1300 1318 7ffd9b2be2db-7ffd9b2be2ee 1314->1318 1319 7ffd9b2be310-7ffd9b2be320 1315->1319 1320 7ffd9b2be322-7ffd9b2be32e 1315->1320 1316->1315 1318->1316 1324 7ffd9b2be2f0-7ffd9b2be2f1 1318->1324 1321 7ffd9b2be33e-7ffd9b2be347 1319->1321 1320->1321 1322 7ffd9b2be330-7ffd9b2be33b 1320->1322 1325 7ffd9b2be3b8-7ffd9b2be3f1 call 7ffd9b2bcf70 call 7ffd9b2b9270 1321->1325 1326 7ffd9b2be349-7ffd9b2be34d 1321->1326 1322->1321 1331 7ffd9b2be295-7ffd9b2be29e 1323->1331 1332 7ffd9b2be24e-7ffd9b2be26a 1323->1332 1328 7ffd9b2be2f2-7ffd9b2be300 1324->1328 1338 7ffd9b2be435-7ffd9b2be447 1325->1338 1347 7ffd9b2be3f3-7ffd9b2be40c call 7ffd9b2bb2a8 1325->1347 1334 7ffd9b2be34f-7ffd9b2be367 call 7ffd9b2b9610 1326->1334 1335 7ffd9b2be393-7ffd9b2be3ab 1326->1335 1328->1321 1333 7ffd9b2be2a0-7ffd9b2be2ab 1331->1333 1332->1318 1342 7ffd9b2be26c-7ffd9b2be271 1332->1342 1334->1335 1335->1338 1339 7ffd9b2be3b1-7ffd9b2be3b5 1335->1339 1349 7ffd9b2be489-7ffd9b2be4fe call 7ffd9b2ba200 1338->1349 1350 7ffd9b2be449-7ffd9b2be487 1338->1350 1339->1325 1342->1328 1345 7ffd9b2be273-7ffd9b2be293 1342->1345 1345->1333 1355 7ffd9b2be411-7ffd9b2be421 1347->1355 1363 7ffd9b2be5f9-7ffd9b2be603 1349->1363 1350->1349 1358 7ffd9b2be423-7ffd9b2be434 1355->1358 1364 7ffd9b2be609-7ffd9b2be60f 1363->1364 1365 7ffd9b2be503-7ffd9b2be50e 1363->1365 1366 7ffd9b2be610-7ffd9b2be697 1365->1366 1367 7ffd9b2be514-7ffd9b2be55d 1365->1367 1373 7ffd9b2be57a-7ffd9b2be57c 1367->1373 1374 7ffd9b2be55f-7ffd9b2be578 1367->1374 1375 7ffd9b2be57f-7ffd9b2be58c 1373->1375 1374->1375 1377 7ffd9b2be58e-7ffd9b2be5ec call 7ffd9b2bb710 1375->1377 1378 7ffd9b2be5f1-7ffd9b2be5f6 1375->1378 1377->1378 1378->1363
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1892522961.00007FFD9B2B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B2B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b2b0000_okPY77wv6E.jbxd
                                Similarity
                                • API ID:
                                • String ID: SZN
                                • API String ID: 0-2492811478
                                • Opcode ID: 220864b10df00686739e21e1ee67f28e39c8902c530de8feb14c577b7b8c4340
                                • Instruction ID: 1f748197ceb3f7da47dbdb70562c997f0dcef6d88f1f46f33a2fa3f4094e4c15
                                • Opcode Fuzzy Hash: 220864b10df00686739e21e1ee67f28e39c8902c530de8feb14c577b7b8c4340
                                • Instruction Fuzzy Hash: 61527931A0DB5E8FE759DB68C4A45B477E1FF56300B1545BED08ACB2B2DE38A942CB40
                                Function 00007FFD9B2B4668 Relevance: 2.0, Strings: 1, Instructions: 712COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1476 7ffd9b2b4668-7ffd9b2b6921 call 7ffd9b2b67e0 1483 7ffd9b2b6944-7ffd9b2b6953 1476->1483 1484 7ffd9b2b6955-7ffd9b2b696f call 7ffd9b2b67e0 call 7ffd9b2b6830 1483->1484 1485 7ffd9b2b6923-7ffd9b2b6939 call 7ffd9b2b67e0 call 7ffd9b2b6830 1483->1485 1494 7ffd9b2b693b-7ffd9b2b6942 1485->1494 1495 7ffd9b2b6970-7ffd9b2b69c0 1485->1495 1494->1483 1498 7ffd9b2b69cc-7ffd9b2b6a03 1495->1498 1499 7ffd9b2b69c2-7ffd9b2b69c7 call 7ffd9b2b5f88 1495->1499 1502 7ffd9b2b6a09-7ffd9b2b6a14 1498->1502 1503 7ffd9b2b6bff-7ffd9b2b6c69 1498->1503 1499->1498 1504 7ffd9b2b6a88-7ffd9b2b6a8d 1502->1504 1505 7ffd9b2b6a16-7ffd9b2b6a24 1502->1505 1532 7ffd9b2b6c86-7ffd9b2b6cb0 1503->1532 1533 7ffd9b2b6c6b-7ffd9b2b6c71 1503->1533 1508 7ffd9b2b6a8f-7ffd9b2b6a9b 1504->1508 1509 7ffd9b2b6b00-7ffd9b2b6b0a 1504->1509 1505->1503 1506 7ffd9b2b6a2a-7ffd9b2b6a39 1505->1506 1510 7ffd9b2b6a3b-7ffd9b2b6a6b 1506->1510 1511 7ffd9b2b6a6d-7ffd9b2b6a78 1506->1511 1508->1503 1514 7ffd9b2b6aa1-7ffd9b2b6ab4 1508->1514 1512 7ffd9b2b6b2c-7ffd9b2b6b34 1509->1512 1513 7ffd9b2b6b0c-7ffd9b2b6b19 call 7ffd9b2b5fa8 1509->1513 1510->1511 1519 7ffd9b2b6ab9-7ffd9b2b6abc 1510->1519 1511->1503 1518 7ffd9b2b6a7e-7ffd9b2b6a86 1511->1518 1515 7ffd9b2b6b37-7ffd9b2b6b42 1512->1515 1530 7ffd9b2b6b1e-7ffd9b2b6b2a 1513->1530 1514->1515 1515->1503 1522 7ffd9b2b6b48-7ffd9b2b6b58 1515->1522 1518->1504 1518->1505 1523 7ffd9b2b6abe-7ffd9b2b6ace 1519->1523 1524 7ffd9b2b6ad2-7ffd9b2b6ada 1519->1524 1522->1503 1526 7ffd9b2b6b5e-7ffd9b2b6b6b 1522->1526 1523->1524 1524->1503 1528 7ffd9b2b6ae0-7ffd9b2b6aff 1524->1528 1526->1503 1527 7ffd9b2b6b71-7ffd9b2b6b91 1526->1527 1527->1503 1539 7ffd9b2b6b93-7ffd9b2b6ba2 1527->1539 1530->1512 1536 7ffd9b2b6c73-7ffd9b2b6c84 1533->1536 1537 7ffd9b2b6cb1-7ffd9b2b6d00 1533->1537 1536->1532 1536->1533 1550 7ffd9b2b6d0a-7ffd9b2b6d17 1537->1550 1551 7ffd9b2b6d02-7ffd9b2b6d05 1537->1551 1541 7ffd9b2b6bed-7ffd9b2b6bfe 1539->1541 1542 7ffd9b2b6ba4-7ffd9b2b6baf 1539->1542 1542->1541 1547 7ffd9b2b6bb1-7ffd9b2b6be8 call 7ffd9b2b5fa8 1542->1547 1547->1541 1553 7ffd9b2b6d07-7ffd9b2b6d08 1550->1553 1554 7ffd9b2b6d19-7ffd9b2b6d51 1550->1554 1551->1553 1551->1554 1553->1550 1559 7ffd9b2b6da8-7ffd9b2b6daf 1554->1559 1560 7ffd9b2b6d53-7ffd9b2b6d59 1554->1560 1562 7ffd9b2b6db1-7ffd9b2b6db2 1559->1562 1563 7ffd9b2b6df2-7ffd9b2b6e1b 1559->1563 1560->1559 1561 7ffd9b2b6d5b-7ffd9b2b6d5c 1560->1561 1564 7ffd9b2b6d5f-7ffd9b2b6d62 1561->1564 1565 7ffd9b2b6db5-7ffd9b2b6db8 1562->1565 1566 7ffd9b2b6d68-7ffd9b2b6d75 1564->1566 1567 7ffd9b2b6e1c-7ffd9b2b6e31 1564->1567 1565->1567 1568 7ffd9b2b6dba-7ffd9b2b6dcb 1565->1568 1570 7ffd9b2b6d77-7ffd9b2b6d9e 1566->1570 1571 7ffd9b2b6da1-7ffd9b2b6da6 1566->1571 1578 7ffd9b2b6e3b-7ffd9b2b6e48 1567->1578 1579 7ffd9b2b6e33-7ffd9b2b6e3a 1567->1579 1572 7ffd9b2b6de9-7ffd9b2b6df0 1568->1572 1573 7ffd9b2b6dcd-7ffd9b2b6dd3 1568->1573 1570->1571 1571->1559 1571->1564 1572->1563 1572->1565 1573->1567 1577 7ffd9b2b6dd5-7ffd9b2b6de5 1573->1577 1577->1572 1580 7ffd9b2b6e4a-7ffd9b2b6e5e 1578->1580 1581 7ffd9b2b6e62-7ffd9b2b6ec1 1578->1581 1579->1578 1580->1581
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1892522961.00007FFD9B2B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B2B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b2b0000_okPY77wv6E.jbxd
                                Similarity
                                • API ID:
                                • String ID: d
                                • API String ID: 0-2564639436
                                • Opcode ID: 1ef7d3b197ec2d500c81ef8e58108b62a52d58246ff8c4d7b392641a7077d43d
                                • Instruction ID: 9017ee000181066da5f86b490449ce298cee8958341f2a1a44b9c51510304481
                                • Opcode Fuzzy Hash: 1ef7d3b197ec2d500c81ef8e58108b62a52d58246ff8c4d7b392641a7077d43d
                                • Instruction Fuzzy Hash: 04226830A1DA494FD76ADF6884A19B1B7E1EF46310B1541BDD49EC71ABDE28F843CB80
                                Function 00007FFD9B3A0000 Relevance: 1.5, Instructions: 1542COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1892901967.00007FFD9B3A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b3a0000_okPY77wv6E.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 16147d9629f804401fa3960323ad4a069d38664a6bbb3c110034c75aa3b7da81
                                • Instruction ID: ad303ef0145ae32e8fe2d9329490ba195e1b925a5ffdf5491638ef4211918e76
                                • Opcode Fuzzy Hash: 16147d9629f804401fa3960323ad4a069d38664a6bbb3c110034c75aa3b7da81
                                • Instruction Fuzzy Hash: E8A24A7190E7C94FEB66FB6888646A47FE0EF56700F1901FEC48DCB1A3DA246946C741
                                Function 00007FFD9B2C21AF Relevance: 1.4, Instructions: 1363COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1892522961.00007FFD9B2B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B2B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b2b0000_okPY77wv6E.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8fd6c124d53fc100bad30f4407831cf80dab804a2c6c50e8dc29cc044dc7c9fb
                                • Instruction ID: 4015931417b180b6de4cb23f96bdaa2daf940606faf50676a458f6b23502c66a
                                • Opcode Fuzzy Hash: 8fd6c124d53fc100bad30f4407831cf80dab804a2c6c50e8dc29cc044dc7c9fb
                                • Instruction Fuzzy Hash: DA729731A0DB4E4FE369EB68C4615B177E1FF95301B1146FED48AC72A2DE28E946C780
                                Function 00007FFD9B2B6350 Relevance: 1.1, Instructions: 1108COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1892522961.00007FFD9B2B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B2B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b2b0000_okPY77wv6E.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 38076c536ce7076382ae642c49a87c0f1dd72653d27ed6a33e4725178a1a7c5d
                                • Instruction ID: 7e31e531093f7cc61ad38f3494e37d1976c0f35924534a9e6b15e604f9382714
                                • Opcode Fuzzy Hash: 38076c536ce7076382ae642c49a87c0f1dd72653d27ed6a33e4725178a1a7c5d
                                • Instruction Fuzzy Hash: 1E827631A0DA8A4FE778AF5884606B477D1EF95310F0541FDD48E8B5E3DE28BA46C781
                                Function 00007FFD9B2BB088 Relevance: .9, Instructions: 932COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1892522961.00007FFD9B2B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B2B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b2b0000_okPY77wv6E.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bf9c5b72f9987057106118a44e411cdf182a6e91fbb8648519aaf69c6038ca3f
                                • Instruction ID: 92e998c4e0ac808a378581028ab77b9d961c9c6e3da2cb9269543c47ee0e5d25
                                • Opcode Fuzzy Hash: bf9c5b72f9987057106118a44e411cdf182a6e91fbb8648519aaf69c6038ca3f
                                • Instruction Fuzzy Hash: 0852F830B19A1D4FDB68EB6CD465A7977E1EF59300F1501BEE04EC72A2DE24ED428B81
                                Function 00007FFD9B2B4670 Relevance: .5, Instructions: 513COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1892522961.00007FFD9B2B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B2B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b2b0000_okPY77wv6E.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 199d2fd8bf0605702cefb0cb404b0d2ab588ddb0d003b01b456990375e9f0c09
                                • Instruction ID: be14461976d0877d2c406ba4c761b8fa302f9364aaf45597033e90646d9296bd
                                • Opcode Fuzzy Hash: 199d2fd8bf0605702cefb0cb404b0d2ab588ddb0d003b01b456990375e9f0c09
                                • Instruction Fuzzy Hash: 91E18731B1E91A4FEB6C9A6884A8AB573D1FF86310B1501BDD44FC75E6DD28F942CB80
                                Function 00007FFD9B2C70C3 Relevance: .2, Instructions: 237COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1892522961.00007FFD9B2B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B2B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b2b0000_okPY77wv6E.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0b7c8c243a7bb54e90df5be1a404a9dcd71df497cf7b461771bc76cc98d0bb25
                                • Instruction ID: d1147bb75b97deeadeb0a3384f8b935c6c4e956aaaba9dd233c731020f583f7b
                                • Opcode Fuzzy Hash: 0b7c8c243a7bb54e90df5be1a404a9dcd71df497cf7b461771bc76cc98d0bb25
                                • Instruction Fuzzy Hash: 6971BE3250E3C54FD31B8B648CA25A17FB1EF5322071A45EFD4C6CB1A3E528A90BC762
                                Function 00007FFD9B2C6EF1 Relevance: .2, Instructions: 191COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1892522961.00007FFD9B2B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B2B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b2b0000_okPY77wv6E.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d05d9ee69c70765af089ec452f4894c83bf0aa7c2c228c3d3cc1737110d67ab6
                                • Instruction ID: 7e65f2db53649acf2a09a209f48ad69ec40c61c1e30ead9efeb4cd39e11a36b6
                                • Opcode Fuzzy Hash: d05d9ee69c70765af089ec452f4894c83bf0aa7c2c228c3d3cc1737110d67ab6
                                • Instruction Fuzzy Hash: 33514A3160D7890FD71E9A388C665B57FA5DB8322071682BFD4C7CB1E7DD24A8478391
                                Function 00007FFD9B2C6F54 Relevance: .1, Instructions: 146COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1892522961.00007FFD9B2B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B2B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b2b0000_okPY77wv6E.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ee1d9f92fb86daf04f55468abe4a3044130465b689f8767486364c31c1cd50b9
                                • Instruction ID: 92742cdb710c549966f4e68bca52e0a1ae7aaab24002b1c417f4d0845546a8ab
                                • Opcode Fuzzy Hash: ee1d9f92fb86daf04f55468abe4a3044130465b689f8767486364c31c1cd50b9
                                • Instruction Fuzzy Hash: D341262160E3891FC72F9E3488665757FA4DB83210B0682FFD4C6CB1E7DD28980783A2
                                Function 00007FFD9B3A0EEA Relevance: 2.0, Strings: 1, Instructions: 736COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1383 7ffd9b3a0eea-7ffd9b3a0ef7 1384 7ffd9b3a0ef9-7ffd9b3a0f10 1383->1384 1385 7ffd9b3a0f2c-7ffd9b3a0f44 1383->1385 1386 7ffd9b3a0f12-7ffd9b3a0f2a 1384->1386 1387 7ffd9b3a0f81-7ffd9b3a0fd0 1384->1387 1386->1385 1394 7ffd9b3a0fd2-7ffd9b3a1004 1387->1394 1395 7ffd9b3a1041-7ffd9b3a1090 1387->1395 1399 7ffd9b3a1092-7ffd9b3a10c4 1395->1399 1400 7ffd9b3a1101-7ffd9b3a1149 1395->1400 1406 7ffd9b3a114b-7ffd9b3a115b 1400->1406 1407 7ffd9b3a115d-7ffd9b3a115e 1400->1407 1409 7ffd9b3a1161-7ffd9b3a1178 1406->1409 1407->1409 1413 7ffd9b3a117a-7ffd9b3a117c 1409->1413 1414 7ffd9b3a11ab-7ffd9b3a1229 1409->1414 1413->1414 1415 7ffd9b3a117e-7ffd9b3a11a4 1413->1415 1423 7ffd9b3a122b-7ffd9b3a1259 1414->1423 1424 7ffd9b3a1273-7ffd9b3a1295 1414->1424 1415->1414 1426 7ffd9b3a1305-7ffd9b3a1315 1423->1426 1427 7ffd9b3a125f-7ffd9b3a1272 1423->1427 1428 7ffd9b3a1299-7ffd9b3a12a4 1424->1428 1431 7ffd9b3a1318-7ffd9b3a133f 1426->1431 1432 7ffd9b3a1317 1426->1432 1427->1424 1427->1426 1428->1426 1430 7ffd9b3a12a6-7ffd9b3a12d0 1428->1430 1435 7ffd9b3a1341-7ffd9b3a134f 1430->1435 1438 7ffd9b3a12d2-7ffd9b3a12d3 1430->1438 1431->1435 1432->1431 1437 7ffd9b3a1351-7ffd9b3a1377 1435->1437 1439 7ffd9b3a1379-7ffd9b3a1390 1437->1439 1440 7ffd9b3a13ac-7ffd9b3a13c4 1437->1440 1438->1428 1441 7ffd9b3a12d5 1438->1441 1442 7ffd9b3a1392-7ffd9b3a13ab 1439->1442 1443 7ffd9b3a1401-7ffd9b3a144a 1439->1443 1441->1437 1444 7ffd9b3a12d7-7ffd9b3a1304 1441->1444 1442->1440 1453 7ffd9b3a144c-7ffd9b3a144e 1443->1453 1454 7ffd9b3a14bb-7ffd9b3a14c8 1443->1454 1456 7ffd9b3a14ca-7ffd9b3a1573 1453->1456 1457 7ffd9b3a1450-7ffd9b3a1478 1453->1457 1454->1456 1473 7ffd9b3a1575-7ffd9b3a1586 1456->1473 1474 7ffd9b3a1587-7ffd9b3a1591 1456->1474 1464 7ffd9b3a147a-7ffd9b3a148b 1457->1464 1465 7ffd9b3a148c-7ffd9b3a1499 1457->1465 1464->1465 1473->1474
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1892901967.00007FFD9B3A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b3a0000_okPY77wv6E.jbxd
                                Similarity
                                • API ID:
                                • String ID: 877
                                • API String ID: 0-3810712908
                                • Opcode ID: 6eb48e2be9cff29b08c8eaf6bc9c29cd6321bdcf604d9a98be55f89609bd2bdd
                                • Instruction ID: c55a2fa47b816701dab6b9a22d96027c8be028a1565f308b08316532a670ef07
                                • Opcode Fuzzy Hash: 6eb48e2be9cff29b08c8eaf6bc9c29cd6321bdcf604d9a98be55f89609bd2bdd
                                • Instruction Fuzzy Hash: 2E221A72A0FBCA4FE766FB7848656A47FE0EF56200F1901FED489CB1A3D9186946C341
                                Function 00007FFD9B2B528A Relevance: 1.6, APIs: 1, Instructions: 136memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1757 7ffd9b2b528a-7ffd9b2b5297 1758 7ffd9b2b5299-7ffd9b2b52a1 1757->1758 1759 7ffd9b2b52a2-7ffd9b2b52b3 1757->1759 1758->1759 1760 7ffd9b2b52b5-7ffd9b2b52bd 1759->1760 1761 7ffd9b2b52be-7ffd9b2b536f VirtualProtect 1759->1761 1760->1761 1765 7ffd9b2b5377-7ffd9b2b539f 1761->1765 1766 7ffd9b2b5371 1761->1766 1766->1765
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1892522961.00007FFD9B2B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B2B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b2b0000_okPY77wv6E.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: f74dfb391f82be5cdd47b5850eea49f728d622d548a400ab7ac5ec908dd02744
                                • Instruction ID: 012905b990e1e20ffab229a596cb99ac9e6847b4f0729d8274345a74aba2297b
                                • Opcode Fuzzy Hash: f74dfb391f82be5cdd47b5850eea49f728d622d548a400ab7ac5ec908dd02744
                                • Instruction Fuzzy Hash: 12411A3090DB884FD719DBA89856AE9BFF1EF56321F0402AFD089C71A3CF646456CB91
                                Function 00007FFD9B3A10C9 Relevance: 1.5, Strings: 1, Instructions: 262COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1892901967.00007FFD9B3A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b3a0000_okPY77wv6E.jbxd
                                Similarity
                                • API ID:
                                • String ID: 877
                                • API String ID: 0-3810712908
                                • Opcode ID: b56b8760a9fb73a0dee01258ddb13499a62c4bc92739adf665cfe8b58a64c4ae
                                • Instruction ID: 4ace1217dd690eed85f9453febbfc2d3c43377f4cea6c60b737f61d3c0ee8976
                                • Opcode Fuzzy Hash: b56b8760a9fb73a0dee01258ddb13499a62c4bc92739adf665cfe8b58a64c4ae
                                • Instruction Fuzzy Hash: F3710931A0EEC94FDB66EB6488656657FE0EF56304F1601FEC48AC71E7DA18A941C341

                                Non-executed Functions

                                Function 00007FFD9B2B9B68 Relevance: .3, Instructions: 337COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1892522961.00007FFD9B2B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B2B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b2b0000_okPY77wv6E.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8b1bb46732d67172711e1dcb36eccbd0091c8119845797550a9963640da4830c
                                • Instruction ID: 8908dd1b8c8db86c1207877bfa5505e2f22e442ab4f529531d56d554faca6615
                                • Opcode Fuzzy Hash: 8b1bb46732d67172711e1dcb36eccbd0091c8119845797550a9963640da4830c
                                • Instruction Fuzzy Hash: 5091E361A1E7C90FD3279B7448654A17FA0EF1320071A42FBC4DACB1A7EE28A906C752
                                Function 00007FFD9B2B613D Relevance: .3, Instructions: 254COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1892522961.00007FFD9B2B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B2B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ffd9b2b0000_okPY77wv6E.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 79deaa0244cb7e756562bbaf97ff602444579691392e3bdf6655b05abe00fd43
                                • Instruction ID: eba7d478de3b92aff554a0f88cf3f08760c617d376b9aecc10a6077fa983b5ac
                                • Opcode Fuzzy Hash: 79deaa0244cb7e756562bbaf97ff602444579691392e3bdf6655b05abe00fd43
                                • Instruction Fuzzy Hash: B3615B1AB0F2B60AF33A66AE78B25F67FD0DF4222570D42BBD1DA890E3DC0864474594

                                Execution Graph

                                Execution Coverage:12.7%
                                Dynamic/Decrypted Code Coverage:100%
                                Signature Coverage:2.6%
                                Total number of Nodes:114
                                Total number of Limit Nodes:12
                                execution_graph 42057 69a6e38 42058 69a6e7e GetCurrentProcess 42057->42058 42060 69a6ec9 42058->42060 42061 69a6ed0 GetCurrentThread 42058->42061 42060->42061 42062 69a6f0d GetCurrentProcess 42061->42062 42063 69a6f06 42061->42063 42064 69a6f43 42062->42064 42063->42062 42065 69a6f6b GetCurrentThreadId 42064->42065 42066 69a6f9c 42065->42066 42184 16670b0 42185 16670f4 CheckRemoteDebuggerPresent 42184->42185 42186 1667136 42185->42186 42187 69a7140 42188 69a70e8 DuplicateHandle 42187->42188 42189 69a7116 42188->42189 42190 69a7581 42193 69a7c7c 42190->42193 42194 69a7c81 42193->42194 42195 69a7e0c 42194->42195 42196 69a9a88 2 API calls 42194->42196 42197 69a9a7f 2 API calls 42194->42197 42196->42195 42197->42195 42067 1660848 42069 166084e 42067->42069 42068 166091b 42069->42068 42073 69a5d23 42069->42073 42077 69a5d30 42069->42077 42081 1661382 42069->42081 42074 69a5d3f 42073->42074 42087 69a552c 42074->42087 42078 69a5d3f 42077->42078 42079 69a552c 2 API calls 42078->42079 42080 69a5d60 42079->42080 42080->42069 42083 166138b 42081->42083 42082 16614aa 42082->42069 42083->42082 42154 1668140 42083->42154 42158 1668268 42083->42158 42165 1668150 42083->42165 42088 69a5537 42087->42088 42091 69a6c7c 42088->42091 42090 69a76e6 42092 69a6c87 42091->42092 42093 69a7c66 42092->42093 42096 69a9a88 42092->42096 42101 69a9a7f 42092->42101 42093->42090 42097 69a9aa9 42096->42097 42098 69a9acd 42097->42098 42106 69a9c2b 42097->42106 42110 69a9c38 42097->42110 42098->42093 42102 69a9aa9 42101->42102 42103 69a9acd 42102->42103 42104 69a9c2b 2 API calls 42102->42104 42105 69a9c38 2 API calls 42102->42105 42103->42093 42104->42103 42105->42103 42107 69a9c45 42106->42107 42109 69a9c7e 42107->42109 42114 69a89a4 42107->42114 42109->42098 42111 69a9c45 42110->42111 42112 69a9c7e 42111->42112 42113 69a89a4 2 API calls 42111->42113 42112->42098 42113->42112 42115 69a89af 42114->42115 42117 69a9cf0 42115->42117 42118 69a89d8 42115->42118 42117->42117 42119 69a89e3 42118->42119 42125 69a89e8 42119->42125 42121 69a9d5f 42129 69aef80 42121->42129 42135 69aef68 42121->42135 42122 69a9d99 42122->42117 42126 69a89f3 42125->42126 42127 69aaf00 42126->42127 42128 69a9a88 2 API calls 42126->42128 42127->42121 42128->42127 42131 69aefb1 42129->42131 42132 69aeffd 42129->42132 42130 69aefbd 42130->42122 42131->42130 42140 69af1f8 42131->42140 42143 69af1e9 42131->42143 42132->42122 42136 69aef75 42135->42136 42137 69aefbd 42136->42137 42138 69af1f8 2 API calls 42136->42138 42139 69af1e9 2 API calls 42136->42139 42137->42122 42138->42137 42139->42137 42146 69af238 42140->42146 42141 69af202 42141->42132 42144 69af202 42143->42144 42145 69af238 2 API calls 42143->42145 42144->42132 42145->42144 42147 69af259 42146->42147 42149 69af27c 42146->42149 42147->42149 42152 69af4d0 LoadLibraryExW 42147->42152 42153 69af4e0 LoadLibraryExW 42147->42153 42148 69af274 42148->42149 42150 69af480 GetModuleHandleW 42148->42150 42149->42141 42151 69af4ad 42150->42151 42151->42141 42152->42148 42153->42148 42156 1668150 42154->42156 42155 16682d2 42155->42083 42156->42155 42169 166ff8f 42156->42169 42159 1668272 42158->42159 42160 166828c 42159->42160 42162 69bf710 4 API calls 42159->42162 42163 69bf700 4 API calls 42159->42163 42161 16682d2 42160->42161 42164 166ff8f 4 API calls 42160->42164 42161->42083 42162->42160 42163->42160 42164->42161 42167 1668166 42165->42167 42166 16682d2 42166->42083 42167->42166 42168 166ff8f 4 API calls 42167->42168 42168->42166 42170 166ff9a 42169->42170 42174 69bf710 42170->42174 42179 69bf700 42170->42179 42171 166ffa1 42171->42155 42176 69bf725 42174->42176 42175 69bf93a 42175->42171 42176->42175 42177 69bfd68 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 42176->42177 42178 69bfd58 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 42176->42178 42177->42176 42178->42176 42181 69bf725 42179->42181 42180 69bf93a 42180->42171 42181->42180 42182 69bfd58 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 42181->42182 42183 69bfd68 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 42181->42183 42182->42181 42183->42181

                                Executed Functions

                                Function 069B2430 Relevance: 9.0, Strings: 6, Instructions: 1481COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID: $^q$$^q$$^q$$^q$$^q$$^q
                                • API String ID: 0-2392861976
                                • Opcode ID: 2c6cda6fed5ac03e39a782d6b3288c04d49323b22ac8147d609900bbe79f37d8
                                • Instruction ID: 6c62bd53226443b3ab9bbd41b83a33b36a4f54f176716e53a75ffa0a9d245f96
                                • Opcode Fuzzy Hash: 2c6cda6fed5ac03e39a782d6b3288c04d49323b22ac8147d609900bbe79f37d8
                                • Instruction Fuzzy Hash: E8D26D34E10209CFCB64DB68C584AADB7F6FF85310F64D9A9D449AB650EB34ED85CB80
                                Function 069BB300 Relevance: 8.3, Strings: 6, Instructions: 764COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID: $^q$$^q$$^q$$^q$$^q$$^q
                                • API String ID: 0-2392861976
                                • Opcode ID: dcd4bce62e8da7a9a086ee4edcbde95f886344f6c5fa4a07bdd2aaee3683410d
                                • Instruction ID: 4ac94ea0f39c1e8a73bf114446f61b3d962fe532213bbd7da1edf51bfd56fed0
                                • Opcode Fuzzy Hash: dcd4bce62e8da7a9a086ee4edcbde95f886344f6c5fa4a07bdd2aaee3683410d
                                • Instruction Fuzzy Hash: 76526E70E102098BDF64CB69D6907ADB7F6EB85310F20982AE409DB799DF74DC81CB91
                                Function 069B7E50 Relevance: 3.0, Strings: 2, Instructions: 469COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2335 69b7e50-69b7e6e 2336 69b7e70-69b7e73 2335->2336 2337 69b7e80-69b7e83 2336->2337 2338 69b7e75-69b7e7f 2336->2338 2339 69b7e85-69b7e9f 2337->2339 2340 69b7ea4-69b7ea7 2337->2340 2339->2340 2341 69b7eca-69b7ecd 2340->2341 2342 69b7ea9-69b7ec5 2340->2342 2343 69b7ecf-69b7edd 2341->2343 2344 69b7ee4-69b7ee6 2341->2344 2342->2341 2350 69b7ef6-69b7f0c 2343->2350 2353 69b7edf 2343->2353 2347 69b7ee8 2344->2347 2348 69b7eed-69b7ef0 2344->2348 2347->2348 2348->2336 2348->2350 2355 69b7f12-69b7f1b 2350->2355 2356 69b8127-69b8131 2350->2356 2353->2344 2357 69b8132-69b8167 2355->2357 2358 69b7f21-69b7f3e 2355->2358 2361 69b8169-69b816c 2357->2361 2367 69b8114-69b8121 2358->2367 2368 69b7f44-69b7f6c 2358->2368 2363 69b821f-69b8222 2361->2363 2364 69b8172-69b817e 2361->2364 2365 69b8228-69b8237 2363->2365 2366 69b844e-69b8451 2363->2366 2371 69b8189-69b818b 2364->2371 2380 69b8239-69b8254 2365->2380 2381 69b8256-69b8291 2365->2381 2369 69b8453-69b846f 2366->2369 2370 69b8474-69b8476 2366->2370 2367->2355 2367->2356 2368->2367 2393 69b7f72-69b7f7b 2368->2393 2369->2370 2374 69b8478 2370->2374 2375 69b847d-69b8480 2370->2375 2376 69b818d-69b8193 2371->2376 2377 69b81a3-69b81aa 2371->2377 2374->2375 2375->2361 2385 69b8486-69b848f 2375->2385 2383 69b8197-69b8199 2376->2383 2384 69b8195 2376->2384 2378 69b81bb 2377->2378 2379 69b81ac-69b81b9 2377->2379 2386 69b81c0-69b81c2 2378->2386 2379->2386 2380->2381 2394 69b8422-69b8438 2381->2394 2395 69b8297-69b82a8 2381->2395 2383->2377 2384->2377 2388 69b81d9-69b8212 2386->2388 2389 69b81c4-69b81c7 2386->2389 2388->2365 2416 69b8214-69b821e 2388->2416 2389->2385 2393->2357 2396 69b7f81-69b7f9d 2393->2396 2394->2366 2404 69b82ae-69b82cb 2395->2404 2405 69b840d-69b841c 2395->2405 2406 69b7fa3-69b7fcd 2396->2406 2407 69b8102-69b810e 2396->2407 2404->2405 2415 69b82d1-69b83c7 call 69b6670 2404->2415 2405->2394 2405->2395 2419 69b80f8-69b80fd 2406->2419 2420 69b7fd3-69b7ffb 2406->2420 2407->2367 2407->2393 2468 69b83c9-69b83d3 2415->2468 2469 69b83d5 2415->2469 2419->2407 2420->2419 2426 69b8001-69b802f 2420->2426 2426->2419 2431 69b8035-69b803e 2426->2431 2431->2419 2433 69b8044-69b8076 2431->2433 2441 69b8078-69b807c 2433->2441 2442 69b8081-69b809d 2433->2442 2441->2419 2443 69b807e 2441->2443 2442->2407 2444 69b809f-69b80f6 call 69b6670 2442->2444 2443->2442 2444->2407 2470 69b83da-69b83dc 2468->2470 2469->2470 2470->2405 2471 69b83de-69b83e3 2470->2471 2472 69b83f1 2471->2472 2473 69b83e5-69b83ef 2471->2473 2474 69b83f6-69b83f8 2472->2474 2473->2474 2474->2405 2475 69b83fa-69b8406 2474->2475 2475->2405
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID: $^q$$^q
                                • API String ID: 0-355816377
                                • Opcode ID: 1634cda1ab83995ec101ee4682f59b550f8ea59e5ba067d872c54f6bd5ba23d9
                                • Instruction ID: da11ede84fbd57ebad3100faa1d8c4f6e10c667f00de4b7f555989b99589ea37
                                • Opcode Fuzzy Hash: 1634cda1ab83995ec101ee4682f59b550f8ea59e5ba067d872c54f6bd5ba23d9
                                • Instruction Fuzzy Hash: 86029F30B002158FDB54DB69DA946AEB7FAFF88304F248969D415DB790DB35EC82CB81
                                Function 069B5258 Relevance: 1.8, Strings: 1, Instructions: 590COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID: $
                                • API String ID: 0-3993045852
                                • Opcode ID: be189ff2235f86a80406c58b8c1a40daff53049297278df3242c46acec7bb6cd
                                • Instruction ID: 8ded5f24d8b23a7e5e85a691e608d68fcd8e3151136e5581b6812973698c6f4d
                                • Opcode Fuzzy Hash: be189ff2235f86a80406c58b8c1a40daff53049297278df3242c46acec7bb6cd
                                • Instruction Fuzzy Hash: 3C22BC71E002198BDF60DFA4C5846EEBBB6FF88320F258469D449EB784DA75DC42CB91
                                Function 016670B0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                Download Yara Rule
                                APIs
                                • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 01667127
                                Memory Dump Source
                                • Source File: 00000004.00000002.2920636853.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_1660000_AddInProcess32.jbxd
                                Similarity
                                • API ID: CheckDebuggerPresentRemote
                                • String ID:
                                • API String ID: 3662101638-0
                                • Opcode ID: 811939625b2b778855271cda3f1d67e28672d9af2b1abd8caf1a820bf64399bc
                                • Instruction ID: ba566d441a79a31919728df8ffbbfde24d642e477d30d771c977999468d47217
                                • Opcode Fuzzy Hash: 811939625b2b778855271cda3f1d67e28672d9af2b1abd8caf1a820bf64399bc
                                • Instruction Fuzzy Hash: 5B2125B1800259CFCB14CF9AD884BEEFBF5AF49320F14845AE459A3351D778A944CF61
                                Function 069B66C0 Relevance: .8, Instructions: 808COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3888040a99c20790940bfa1787ff36281aa874946380f5f3753913f28d0b1bef
                                • Instruction ID: af1e633bbb8be7f5de8ef4c5c6a136cf323f7063ddc42b737d76318cd0d33b84
                                • Opcode Fuzzy Hash: 3888040a99c20790940bfa1787ff36281aa874946380f5f3753913f28d0b1bef
                                • Instruction Fuzzy Hash: D1629130B002158FDB54DB68DA946ADB7F6EF84314F249569E409EB790DB35EC42CB90
                                Function 069BC250 Relevance: .6, Instructions: 635COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ddc872e03cd58f552ea10e7c466a0609953059c02ce449d5d8d71db8937c22b5
                                • Instruction ID: f7232c93167faca9bdc70cf0b6e63ac682652530af8da24294fcc6ce33e0e146
                                • Opcode Fuzzy Hash: ddc872e03cd58f552ea10e7c466a0609953059c02ce449d5d8d71db8937c22b5
                                • Instruction Fuzzy Hash: A1327270B10219DFDB54DB69D990BADB7B6FB88310F209525E406EB790DB34EC82CB91
                                Function 069BAD98 Relevance: 10.4, Strings: 8, Instructions: 389COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 526 69bad98-69badb6 527 69badb8-69badbb 526->527 528 69badde-69bade1 527->528 529 69badbd-69badd9 527->529 530 69badeb-69badee 528->530 531 69bade3-69bade8 528->531 529->528 533 69bafb5-69bafbe 530->533 534 69badf4-69badf7 530->534 531->530 535 69bae41-69bae4a 533->535 536 69bafc4-69bafce 533->536 537 69bae0b-69bae0e 534->537 538 69badf9-69bae06 534->538 542 69bafcf-69bb006 535->542 543 69bae50-69bae54 535->543 539 69bae28-69bae2b 537->539 540 69bae10-69bae23 537->540 538->537 545 69bae2d-69bae31 539->545 546 69bae3c-69bae3f 539->546 540->539 553 69bb008-69bb00b 542->553 547 69bae59-69bae5c 543->547 545->536 549 69bae37 545->549 546->535 546->547 551 69bae5e-69bae67 547->551 552 69bae6c-69bae6e 547->552 549->546 551->552 554 69bae70 552->554 555 69bae75-69bae78 552->555 557 69bb01a-69bb01d 553->557 558 69bb00d 553->558 554->555 555->527 556 69bae7e-69baea2 555->556 575 69baea8-69baeb7 556->575 576 69bafb2 556->576 559 69bb02a-69bb02d 557->559 560 69bb01f-69bb023 557->560 649 69bb00d call 69bb2f0 558->649 650 69bb00d call 69bb300 558->650 564 69bb02f-69bb04b 559->564 565 69bb050-69bb053 559->565 561 69bb069-69bb0a4 560->561 562 69bb025 560->562 577 69bb0aa-69bb0b6 561->577 578 69bb297-69bb2aa 561->578 562->559 564->565 567 69bb060-69bb063 565->567 568 69bb055-69bb05f 565->568 566 69bb013-69bb015 566->557 567->561 571 69bb2cc-69bb2ce 567->571 573 69bb2d0 571->573 574 69bb2d5-69bb2d8 571->574 573->574 574->553 580 69bb2de-69bb2e8 574->580 586 69baeb9-69baebf 575->586 587 69baecf-69baf0a call 69b6670 575->587 576->533 584 69bb0b8-69bb0d1 577->584 585 69bb0d6-69bb11a 577->585 579 69bb2ac 578->579 579->571 584->579 603 69bb11c-69bb12e 585->603 604 69bb136-69bb175 585->604 588 69baec3-69baec5 586->588 589 69baec1 586->589 601 69baf0c-69baf12 587->601 602 69baf22-69baf39 587->602 588->587 589->587 605 69baf16-69baf18 601->605 606 69baf14 601->606 615 69baf3b-69baf41 602->615 616 69baf51-69baf62 602->616 603->604 610 69bb17b-69bb256 call 69b6670 604->610 611 69bb25c-69bb271 604->611 605->602 606->602 610->611 611->578 618 69baf43 615->618 619 69baf45-69baf47 615->619 623 69baf7a-69bafab 616->623 624 69baf64-69baf6a 616->624 618->616 619->616 623->576 625 69baf6e-69baf70 624->625 626 69baf6c 624->626 625->623 626->623 649->566 650->566
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                • API String ID: 0-3823777903
                                • Opcode ID: 2f32bff6f5a5b074472c5d9b0b43db8044a8787ebb223c0a5d00808dac9b57b0
                                • Instruction ID: dae610117320e6276e5ef6d72845cfd445bfff79254f336b9c6f8ffd89171025
                                • Opcode Fuzzy Hash: 2f32bff6f5a5b074472c5d9b0b43db8044a8787ebb223c0a5d00808dac9b57b0
                                • Instruction Fuzzy Hash: C0E17F70E1021A8FCB65DF69D5906AEB7F6EF84301F208929D40A9B784DF74EC46CB91
                                Function 069A6E28 Relevance: 6.1, APIs: 4, Instructions: 145threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1380 69a6e28-69a6e29 1381 69a6e2b-69a6e30 1380->1381 1382 69a6e21-69a6e27 1380->1382 1383 69a6e32-69a6ec7 GetCurrentProcess 1381->1383 1384 69a6e15-69a6e1b 1381->1384 1382->1380 1390 69a6ec9-69a6ecf 1383->1390 1391 69a6ed0-69a6f04 GetCurrentThread 1383->1391 1390->1391 1392 69a6f0d-69a6f41 GetCurrentProcess 1391->1392 1393 69a6f06-69a6f0c 1391->1393 1395 69a6f4a-69a6f65 call 69a7011 1392->1395 1396 69a6f43-69a6f49 1392->1396 1393->1392 1399 69a6f6b-69a6f9a GetCurrentThreadId 1395->1399 1396->1395 1400 69a6f9c-69a6fa2 1399->1400 1401 69a6fa3-69a7005 1399->1401 1400->1401
                                APIs
                                • GetCurrentProcess.KERNEL32 ref: 069A6EB6
                                • GetCurrentThread.KERNEL32 ref: 069A6EF3
                                • GetCurrentProcess.KERNEL32 ref: 069A6F30
                                • GetCurrentThreadId.KERNEL32 ref: 069A6F89
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925237862.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69a0000_AddInProcess32.jbxd
                                Similarity
                                • API ID: Current$ProcessThread
                                • String ID:
                                • API String ID: 2063062207-0
                                • Opcode ID: fe54c308c1fb0dbd86e7acc5f190c64aacce9cfc6dd22c26121624741291727c
                                • Instruction ID: 5833186160be165ffc6de0b9710eddfbdd47085a2c7b897b113da8188b1d8f0b
                                • Opcode Fuzzy Hash: fe54c308c1fb0dbd86e7acc5f190c64aacce9cfc6dd22c26121624741291727c
                                • Instruction Fuzzy Hash: 7D51A9B09053498FDB54DFA9D948BAEBFF1EF49300F24845EE00AA7791C7345944CB65
                                Function 069A6E38 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1408 69a6e38-69a6ec7 GetCurrentProcess 1412 69a6ec9-69a6ecf 1408->1412 1413 69a6ed0-69a6f04 GetCurrentThread 1408->1413 1412->1413 1414 69a6f0d-69a6f41 GetCurrentProcess 1413->1414 1415 69a6f06-69a6f0c 1413->1415 1417 69a6f4a-69a6f65 call 69a7011 1414->1417 1418 69a6f43-69a6f49 1414->1418 1415->1414 1421 69a6f6b-69a6f9a GetCurrentThreadId 1417->1421 1418->1417 1422 69a6f9c-69a6fa2 1421->1422 1423 69a6fa3-69a7005 1421->1423 1422->1423
                                APIs
                                • GetCurrentProcess.KERNEL32 ref: 069A6EB6
                                • GetCurrentThread.KERNEL32 ref: 069A6EF3
                                • GetCurrentProcess.KERNEL32 ref: 069A6F30
                                • GetCurrentThreadId.KERNEL32 ref: 069A6F89
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925237862.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69a0000_AddInProcess32.jbxd
                                Similarity
                                • API ID: Current$ProcessThread
                                • String ID:
                                • API String ID: 2063062207-0
                                • Opcode ID: a50f378288e046e05823dc4e3a8d1fd524aa32389e2d20d9a28cb6f05d539d32
                                • Instruction ID: 326308a4975fd4000f47f5db332193e67043bd48e4179f898c8d6c27428321bc
                                • Opcode Fuzzy Hash: a50f378288e046e05823dc4e3a8d1fd524aa32389e2d20d9a28cb6f05d539d32
                                • Instruction Fuzzy Hash: 845165B0900309CFDB54DFAAD948BAEBBF1EF88314F24845DE00AA7760DB345984CB65
                                Function 069B9218 Relevance: 5.2, Strings: 4, Instructions: 231COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1430 69b9218-69b923d 1431 69b923f-69b9242 1430->1431 1432 69b9268-69b926b 1431->1432 1433 69b9244-69b9263 1431->1433 1434 69b9b2b-69b9b2d 1432->1434 1435 69b9271-69b9286 1432->1435 1433->1432 1437 69b9b2f 1434->1437 1438 69b9b34-69b9b37 1434->1438 1442 69b9288-69b928e 1435->1442 1443 69b929e-69b92b4 1435->1443 1437->1438 1438->1431 1440 69b9b3d-69b9b47 1438->1440 1444 69b9292-69b9294 1442->1444 1445 69b9290 1442->1445 1447 69b92bf-69b92c1 1443->1447 1444->1443 1445->1443 1448 69b92d9-69b934a 1447->1448 1449 69b92c3-69b92c9 1447->1449 1460 69b934c-69b936f 1448->1460 1461 69b9376-69b9392 1448->1461 1450 69b92cb 1449->1450 1451 69b92cd-69b92cf 1449->1451 1450->1448 1451->1448 1460->1461 1466 69b93be-69b93d9 1461->1466 1467 69b9394-69b93b7 1461->1467 1472 69b93db-69b93fd 1466->1472 1473 69b9404-69b941f 1466->1473 1467->1466 1472->1473 1478 69b944a-69b9454 1473->1478 1479 69b9421-69b9443 1473->1479 1480 69b9456-69b945f 1478->1480 1481 69b9464-69b94de 1478->1481 1479->1478 1480->1440 1487 69b952b-69b9540 1481->1487 1488 69b94e0-69b94fe 1481->1488 1487->1434 1492 69b951a-69b9529 1488->1492 1493 69b9500-69b950f 1488->1493 1492->1487 1492->1488 1493->1492
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID: $^q$$^q$$^q$$^q
                                • API String ID: 0-2125118731
                                • Opcode ID: da32ca262963fd734ed56fd026c4e572b63f92fad1e797cde75284d6bdbc7fc4
                                • Instruction ID: 81e53d2110f77430f32e771f543c7ea70a48b1f857380535bcb6444b81142622
                                • Opcode Fuzzy Hash: da32ca262963fd734ed56fd026c4e572b63f92fad1e797cde75284d6bdbc7fc4
                                • Instruction Fuzzy Hash: 71917130F1021A8FDB54DB69D9507AEB7F6EFC9204F208569C90DEB744EE749C828B91
                                Function 069BD018 Relevance: 4.5, Strings: 3, Instructions: 799COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1496 69bd018-69bd033 1497 69bd035-69bd038 1496->1497 1498 69bd03a-69bd07c 1497->1498 1499 69bd081-69bd084 1497->1499 1498->1499 1500 69bd093-69bd096 1499->1500 1501 69bd086-69bd088 1499->1501 1504 69bd098-69bd0da 1500->1504 1505 69bd0df-69bd0e2 1500->1505 1502 69bd08e 1501->1502 1503 69bd4fd 1501->1503 1502->1500 1507 69bd500-69bd50c 1503->1507 1504->1505 1508 69bd105-69bd108 1505->1508 1509 69bd0e4-69bd100 1505->1509 1511 69bd29c-69bd2ab 1507->1511 1512 69bd512-69bd7ff 1507->1512 1513 69bd10a-69bd14c 1508->1513 1514 69bd151-69bd154 1508->1514 1509->1508 1516 69bd2ba-69bd2c6 1511->1516 1517 69bd2ad-69bd2b2 1511->1517 1708 69bda26-69bda30 1512->1708 1709 69bd805-69bd80b 1512->1709 1513->1514 1519 69bd19d-69bd1a0 1514->1519 1520 69bd156-69bd198 1514->1520 1527 69bd2cc-69bd2de 1516->1527 1528 69bda31-69bda66 1516->1528 1517->1516 1524 69bd1aa-69bd1ad 1519->1524 1525 69bd1a2-69bd1a7 1519->1525 1520->1519 1524->1507 1529 69bd1b3-69bd1b6 1524->1529 1525->1524 1540 69bd2e3-69bd2e6 1527->1540 1543 69bda68-69bda6b 1528->1543 1536 69bd1b8-69bd1fa 1529->1536 1537 69bd1ff-69bd202 1529->1537 1536->1537 1541 69bd24b-69bd24e 1537->1541 1542 69bd204-69bd246 1537->1542 1545 69bd2e8-69bd32a 1540->1545 1546 69bd32f-69bd332 1540->1546 1547 69bd250-69bd25f 1541->1547 1548 69bd297-69bd29a 1541->1548 1542->1541 1552 69bda8e-69bda91 1543->1552 1553 69bda6d-69bda89 1543->1553 1545->1546 1559 69bd34f-69bd352 1546->1559 1560 69bd334-69bd34a 1546->1560 1562 69bd26e-69bd27a 1547->1562 1563 69bd261-69bd266 1547->1563 1548->1511 1548->1540 1556 69bda93 1552->1556 1557 69bdaa0-69bdaa3 1552->1557 1553->1552 1755 69bda93 call 69bdb98 1556->1755 1756 69bda93 call 69bdb85 1556->1756 1566 69bdad6-69bdad8 1557->1566 1567 69bdaa5-69bdad1 1557->1567 1569 69bd39b-69bd39e 1559->1569 1570 69bd354-69bd396 1559->1570 1560->1559 1562->1528 1571 69bd280-69bd292 1562->1571 1563->1562 1576 69bdada 1566->1576 1577 69bdadf-69bdae2 1566->1577 1567->1566 1581 69bd3a9-69bd3ab 1569->1581 1582 69bd3a0-69bd3a2 1569->1582 1570->1569 1571->1548 1575 69bda99-69bda9b 1575->1557 1576->1577 1577->1543 1589 69bdae4-69bdaf3 1577->1589 1585 69bd3ad 1581->1585 1586 69bd3b2-69bd3b5 1581->1586 1583 69bd3bb-69bd3c4 1582->1583 1584 69bd3a4 1582->1584 1595 69bd3d3-69bd3df 1583->1595 1596 69bd3c6-69bd3cb 1583->1596 1584->1581 1585->1586 1586->1497 1586->1583 1607 69bdb5a-69bdb6f 1589->1607 1608 69bdaf5-69bdb58 call 69b6670 1589->1608 1603 69bd4f0-69bd4f5 1595->1603 1604 69bd3e5-69bd3f9 1595->1604 1596->1595 1603->1503 1604->1503 1617 69bd3ff-69bd411 1604->1617 1608->1607 1627 69bd413-69bd419 1617->1627 1628 69bd435-69bd437 1617->1628 1630 69bd41b 1627->1630 1631 69bd41d-69bd429 1627->1631 1635 69bd441-69bd44d 1628->1635 1634 69bd42b-69bd433 1630->1634 1631->1634 1634->1635 1642 69bd45b 1635->1642 1643 69bd44f-69bd459 1635->1643 1645 69bd460-69bd462 1642->1645 1643->1645 1645->1503 1647 69bd468-69bd484 call 69b6670 1645->1647 1655 69bd493-69bd49f 1647->1655 1656 69bd486-69bd48b 1647->1656 1655->1603 1658 69bd4a1-69bd4ee 1655->1658 1656->1655 1658->1503 1710 69bd81a-69bd823 1709->1710 1711 69bd80d-69bd812 1709->1711 1710->1528 1712 69bd829-69bd83c 1710->1712 1711->1710 1714 69bd842-69bd848 1712->1714 1715 69bda16-69bda20 1712->1715 1716 69bd84a-69bd84f 1714->1716 1717 69bd857-69bd860 1714->1717 1715->1708 1715->1709 1716->1717 1717->1528 1718 69bd866-69bd887 1717->1718 1721 69bd889-69bd88e 1718->1721 1722 69bd896-69bd89f 1718->1722 1721->1722 1722->1528 1723 69bd8a5-69bd8c2 1722->1723 1723->1715 1726 69bd8c8-69bd8ce 1723->1726 1726->1528 1727 69bd8d4-69bd8ed 1726->1727 1729 69bda09-69bda10 1727->1729 1730 69bd8f3-69bd91a 1727->1730 1729->1715 1729->1726 1730->1528 1733 69bd920-69bd92a 1730->1733 1733->1528 1734 69bd930-69bd947 1733->1734 1736 69bd949-69bd954 1734->1736 1737 69bd956-69bd971 1734->1737 1736->1737 1737->1729 1742 69bd977-69bd990 call 69b6670 1737->1742 1746 69bd99f-69bd9a8 1742->1746 1747 69bd992-69bd997 1742->1747 1746->1528 1748 69bd9ae-69bda02 1746->1748 1747->1746 1748->1729 1755->1575 1756->1575
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID: $^q$$^q$$^q
                                • API String ID: 0-831282457
                                • Opcode ID: a713b50ab5707ab07d24eb6ee51b6880bffccef01d37deb0e9828286d005bab3
                                • Instruction ID: 1532f9874aaa5b835e70d0ac59114ca4238ab4d05898f4f1b376923447c42403
                                • Opcode Fuzzy Hash: a713b50ab5707ab07d24eb6ee51b6880bffccef01d37deb0e9828286d005bab3
                                • Instruction Fuzzy Hash: 34629170A1021A8FCB55DF68D690A9DB7F2FF84305F208A29D0199F754DB75EC8ACB80
                                Function 069B4820 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1757 69b4820-69b4844 1758 69b4846-69b4849 1757->1758 1759 69b4f28-69b4f2b 1758->1759 1760 69b484f-69b4947 1758->1760 1761 69b4f2d-69b4f47 1759->1761 1762 69b4f4c-69b4f4e 1759->1762 1780 69b49ca-69b49d1 1760->1780 1781 69b494d-69b4995 1760->1781 1761->1762 1763 69b4f50 1762->1763 1764 69b4f55-69b4f58 1762->1764 1763->1764 1764->1758 1766 69b4f5e-69b4f6b 1764->1766 1782 69b49d7-69b4a47 1780->1782 1783 69b4a55-69b4a5e 1780->1783 1803 69b499a call 69b50d8 1781->1803 1804 69b499a call 69b50c8 1781->1804 1800 69b4a49 1782->1800 1801 69b4a52 1782->1801 1783->1766 1794 69b49a0-69b49bc 1798 69b49be 1794->1798 1799 69b49c7-69b49c8 1794->1799 1798->1799 1799->1780 1800->1801 1801->1783 1803->1794 1804->1794
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID: fcq$XPcq$\Ocq
                                • API String ID: 0-3575482020
                                • Opcode ID: d751aae67a3d2bf031b16ae36f01702387a4d77224a5a5b98be83c535216094c
                                • Instruction ID: d53d722eb9454cb5c67a2f9fabef77e2cc2ca24f5d60fce16533fdf3c35bec83
                                • Opcode Fuzzy Hash: d751aae67a3d2bf031b16ae36f01702387a4d77224a5a5b98be83c535216094c
                                • Instruction Fuzzy Hash: D6616130F002099FDF559FA9C9547AEBAF6FB88700F208429E109EB395DB755C419B91
                                Function 069B9208 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2865 69b9208-69b923d 2867 69b923f-69b9242 2865->2867 2868 69b9268-69b926b 2867->2868 2869 69b9244-69b9263 2867->2869 2870 69b9b2b-69b9b2d 2868->2870 2871 69b9271-69b9286 2868->2871 2869->2868 2873 69b9b2f 2870->2873 2874 69b9b34-69b9b37 2870->2874 2878 69b9288-69b928e 2871->2878 2879 69b929e-69b92b4 2871->2879 2873->2874 2874->2867 2876 69b9b3d-69b9b47 2874->2876 2880 69b9292-69b9294 2878->2880 2881 69b9290 2878->2881 2883 69b92bf-69b92c1 2879->2883 2880->2879 2881->2879 2884 69b92d9-69b934a 2883->2884 2885 69b92c3-69b92c9 2883->2885 2896 69b934c-69b936f 2884->2896 2897 69b9376-69b9392 2884->2897 2886 69b92cb 2885->2886 2887 69b92cd-69b92cf 2885->2887 2886->2884 2887->2884 2896->2897 2902 69b93be-69b93d9 2897->2902 2903 69b9394-69b93b7 2897->2903 2908 69b93db-69b93fd 2902->2908 2909 69b9404-69b941f 2902->2909 2903->2902 2908->2909 2914 69b944a-69b9454 2909->2914 2915 69b9421-69b9443 2909->2915 2916 69b9456-69b945f 2914->2916 2917 69b9464-69b94de 2914->2917 2915->2914 2916->2876 2923 69b952b-69b9540 2917->2923 2924 69b94e0-69b94fe 2917->2924 2923->2870 2928 69b951a-69b9529 2924->2928 2929 69b9500-69b950f 2924->2929 2928->2923 2928->2924 2929->2928
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID: $^q$$^q
                                • API String ID: 0-355816377
                                • Opcode ID: 52e3746498dda1303643c25d81962f632cf99f66bbbc7237e3d6767c21ab45f8
                                • Instruction ID: 71d19922ee59fdb6e447b69a5df8c9ba1493f989f226c21419f1b4034a01314e
                                • Opcode Fuzzy Hash: 52e3746498dda1303643c25d81962f632cf99f66bbbc7237e3d6767c21ab45f8
                                • Instruction Fuzzy Hash: 2E51B630B101169FDB54DB79D990BAE77F6EBC9604F108569C40AEB784EE34DC82CB91
                                Function 069AF238 Relevance: 1.7, APIs: 1, Instructions: 208COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNELBASE(00000000), ref: 069AF49E
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925237862.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69a0000_AddInProcess32.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: 7185924caa4c33304f0b5fe5b81070f83d14ca012defd3bf0e8e5ea5e269e0b3
                                • Instruction ID: 796b89a7b479a35a125dce2f73a9d93f7a1feb8447575d1f07d5927b1b6a9401
                                • Opcode Fuzzy Hash: 7185924caa4c33304f0b5fe5b81070f83d14ca012defd3bf0e8e5ea5e269e0b3
                                • Instruction Fuzzy Hash: 07813270A00B458FD7A4DF2AD44479ABBF6FF88304F10892AD48AD7A50DB75E849CBD1
                                Function 0166F2B8 Relevance: 1.6, APIs: 1, Instructions: 128COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.2920636853.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_1660000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1d8762286f73fce563dd2dc80f8059f73c45bd14a104b1a6063fd6bd03854264
                                • Instruction ID: 12e8bd0a6d6bb2ac3e2268bee70b4cfe057d65b8a5bd92aa8ff9990de2e339db
                                • Opcode Fuzzy Hash: 1d8762286f73fce563dd2dc80f8059f73c45bd14a104b1a6063fd6bd03854264
                                • Instruction Fuzzy Hash: 81411272E043998FCB04CFB9D8146AEBFF5AF89210F1585AAD504E7381DB78A845CBD1
                                Function 069A7078 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                Download Yara Rule
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 069A7107
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925237862.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69a0000_AddInProcess32.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: bd061d82e0ba60cef96472d9b458eeb9b5b3b82abde1f8bae8b557609ede136e
                                • Instruction ID: ff356fec314dcf26819ea665b93e255b7666f6bac65828c50133ad71e435956c
                                • Opcode Fuzzy Hash: bd061d82e0ba60cef96472d9b458eeb9b5b3b82abde1f8bae8b557609ede136e
                                • Instruction Fuzzy Hash: B42107B58003099FDB10CFA9D885AEEBFF9EB48310F10841AE914A7310D374A940CFA0
                                Function 016670A8 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                Download Yara Rule
                                APIs
                                • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 01667127
                                Memory Dump Source
                                • Source File: 00000004.00000002.2920636853.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_1660000_AddInProcess32.jbxd
                                Similarity
                                • API ID: CheckDebuggerPresentRemote
                                • String ID:
                                • API String ID: 3662101638-0
                                • Opcode ID: 330736945f4e87783b855efcbcd61038fab22929f804820f1f804b71ae6e2a01
                                • Instruction ID: 191fbb3295a5ac6ead6a38bc2187a2aa1832ebe27054bd77aa012a9aa2806f4f
                                • Opcode Fuzzy Hash: 330736945f4e87783b855efcbcd61038fab22929f804820f1f804b71ae6e2a01
                                • Instruction Fuzzy Hash: 432125B1800259CFCB14CFAAD884BEEFBF5AF49310F24845AE459A7250D738A948CF60
                                Function 069A7080 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                Download Yara Rule
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 069A7107
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925237862.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69a0000_AddInProcess32.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: 439e01049e776a51a2f62fd1366f15e96903d4d7a9b3c895c3c6c2a02632fe4c
                                • Instruction ID: a41ade4a1bf5726422c46074fde834da1d01a2cf7137a97d295e63760a4d2d58
                                • Opcode Fuzzy Hash: 439e01049e776a51a2f62fd1366f15e96903d4d7a9b3c895c3c6c2a02632fe4c
                                • Instruction Fuzzy Hash: A021E6B5900309DFDB10CF9AD985AEEBFF4EB48310F14841AE914A7350D378A944CFA0
                                Function 069AF698 Relevance: 1.6, APIs: 1, Instructions: 58libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,069AF519,00000800,00000000,00000000), ref: 069AF70A
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925237862.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69a0000_AddInProcess32.jbxd
                                Similarity
                                • API ID: LibraryLoad
                                • String ID:
                                • API String ID: 1029625771-0
                                • Opcode ID: 4e303c40dd314847d2c9475e1eaf65bc01493af404abc7c3f136ad92bc3f12cd
                                • Instruction ID: 7b02589877000914c5c2293711b2baa0a8abfc89e429fdc1dcd638999ca91b4e
                                • Opcode Fuzzy Hash: 4e303c40dd314847d2c9475e1eaf65bc01493af404abc7c3f136ad92bc3f12cd
                                • Instruction Fuzzy Hash: B12126B6C003099FDB10DFAAC844ADEFBF8EB88310F10841AE519A7600D779A545CFA5
                                Function 0166F388 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                Download Yara Rule
                                APIs
                                • GlobalMemoryStatusEx.KERNELBASE ref: 0166F3F7
                                Memory Dump Source
                                • Source File: 00000004.00000002.2920636853.0000000001660000.00000040.00000800.00020000.00000000.sdmp, Offset: 01660000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_1660000_AddInProcess32.jbxd
                                Similarity
                                • API ID: GlobalMemoryStatus
                                • String ID:
                                • API String ID: 1890195054-0
                                • Opcode ID: c62322bf313ca161ca5c2fc48cd93d4c8b11b245e722e9d10503546b7cb7e201
                                • Instruction ID: c4fc04dbc75cb638fbcc571aa1452bfff50c3c81dbca313c2259da786a89e8b6
                                • Opcode Fuzzy Hash: c62322bf313ca161ca5c2fc48cd93d4c8b11b245e722e9d10503546b7cb7e201
                                • Instruction Fuzzy Hash: 341133B1C0065A9BCB10DFAAD844ADEFBF4EB48320F11816AE418A7241D378A944CFE1
                                Function 069AE1E0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,069AF519,00000800,00000000,00000000), ref: 069AF70A
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925237862.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69a0000_AddInProcess32.jbxd
                                Similarity
                                • API ID: LibraryLoad
                                • String ID:
                                • API String ID: 1029625771-0
                                • Opcode ID: 226d268ef9c94ff09338c6ae126675c619bc8705dc0f627e32a88455e6b4ea67
                                • Instruction ID: fcb08ec874323bf4d240883b69b70ffc7bcd4b4df2988bcaa7bfd69e0af9718d
                                • Opcode Fuzzy Hash: 226d268ef9c94ff09338c6ae126675c619bc8705dc0f627e32a88455e6b4ea67
                                • Instruction Fuzzy Hash: 6211E4B6D003499FDB10DF9AC444A9EFBF4EB88310F14842AE519A7610C379A945CFA5
                                Function 069AF438 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNELBASE(00000000), ref: 069AF49E
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925237862.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69a0000_AddInProcess32.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: 2e1c120c2a3e81b2dc1053c88a5d16081df4a2051a3d21548ca771d02718d4b9
                                • Instruction ID: 113b387f3371a1950480ea927bbce7c7717f179c8ce42e819864f363be948283
                                • Opcode Fuzzy Hash: 2e1c120c2a3e81b2dc1053c88a5d16081df4a2051a3d21548ca771d02718d4b9
                                • Instruction Fuzzy Hash: 5811E3B6C007498FCB10DF9AC548ADEFBF8EB88324F10841AD419A7610D379A545CFA1
                                Function 069A7140 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                Download Yara Rule
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 069A7107
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925237862.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69a0000_AddInProcess32.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: 5f94e4db1b1ab2578402b386127b731aa52b61993a970168364131c713cefd42
                                • Instruction ID: 9bdb4e3e9ef83ade3c08f7477b1eb36a93e302101318a7b99762fd1ba699aeed
                                • Opcode Fuzzy Hash: 5f94e4db1b1ab2578402b386127b731aa52b61993a970168364131c713cefd42
                                • Instruction Fuzzy Hash: 74F0A4B68043459EDB128BE9D809BDEFFF49F45314F24840AD545A7191C3744854CBA1
                                Function 069B4810 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID: XPcq
                                • API String ID: 0-714321711
                                • Opcode ID: 1e4e37e57cd4e4907659ff1de857bb125455dc5330322a29d523bbd6b2cd72f1
                                • Instruction ID: 3e3d93635b5fc7ac46665c9751a9c1b13828c7eba908f6e9acd8aed43ff5c00d
                                • Opcode Fuzzy Hash: 1e4e37e57cd4e4907659ff1de857bb125455dc5330322a29d523bbd6b2cd72f1
                                • Instruction Fuzzy Hash: 88417270F002099FDB559FA9C854B9EBAF6FF88700F208529E105EB395DB759C01DB91
                                Function 069BDB98 Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID: PH^q
                                • API String ID: 0-2549759414
                                • Opcode ID: 65d981dddbb079615827d9365acebf0cfc99c00a8077bec331ca6f5c550d13dc
                                • Instruction ID: 10a038a70738d4d7b46971a6b77f4737e85e85c9cd003c4cd7e1053c1ac571fb
                                • Opcode Fuzzy Hash: 65d981dddbb079615827d9365acebf0cfc99c00a8077bec331ca6f5c550d13dc
                                • Instruction Fuzzy Hash: 7A41A170E0031A9FDF65DFA5C55469EBBB6FF85300F20492AE405E7640DB75A84ACB81
                                Function 069BDB85 Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID: PH^q
                                • API String ID: 0-2549759414
                                • Opcode ID: 3dfe049a6cc2278885ba1c75d512dd0e1d6f10b50d17d114fb2ffd0c1204c8e8
                                • Instruction ID: 3dd838a9558c2728461ccdbd45ccb9223f5db83dabfe4b678cf5891f07ae0830
                                • Opcode Fuzzy Hash: 3dfe049a6cc2278885ba1c75d512dd0e1d6f10b50d17d114fb2ffd0c1204c8e8
                                • Instruction Fuzzy Hash: 7141AF30E0035A9FDF25CF65C55469EBBBAFF85300F204929E405EB640DB75A84ACB81
                                Function 069B2297 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID: PH^q
                                • API String ID: 0-2549759414
                                • Opcode ID: b4d0b7f8059a7c9f4d8ab6790f35dfc51e1a417cfaaddc86ad62818bd62197cc
                                • Instruction ID: 6bf59267d8fa31dbb3d6a8ec4521555fe2062f587d45d8d417a854d3c5f3c4b3
                                • Opcode Fuzzy Hash: b4d0b7f8059a7c9f4d8ab6790f35dfc51e1a417cfaaddc86ad62818bd62197cc
                                • Instruction Fuzzy Hash: 73310431B002028FDB199B74D5546AF7BEAEF89700F245829D406DB384EE39DD46CBA1
                                Function 069B22A8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID: PH^q
                                • API String ID: 0-2549759414
                                • Opcode ID: cd6edf635e176c733939a35ed4226ef70dd054059b59e809f1c1237f1c0d89b6
                                • Instruction ID: 46342178b0f6b48a7a413996dad9b80480f999fffca86ccc60ec1a0cc092aeb3
                                • Opcode Fuzzy Hash: cd6edf635e176c733939a35ed4226ef70dd054059b59e809f1c1237f1c0d89b6
                                • Instruction Fuzzy Hash: A531E430B002058FDB599B74C5546BF7BEAEF89600F245929D406DB384EE35DD46CBA1
                                Function 069B4709 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID: \Ocq
                                • API String ID: 0-2995510325
                                • Opcode ID: b3d9c0509af61ae511aaa4e9c40bc0c2364d67fcc31d7c9617221025329fd131
                                • Instruction ID: 93d4508ca6f94aae3e99c2470a2e07ffb45bc4f6d6c238962dc35583b2a02776
                                • Opcode Fuzzy Hash: b3d9c0509af61ae511aaa4e9c40bc0c2364d67fcc31d7c9617221025329fd131
                                • Instruction Fuzzy Hash: D0F05E30A20119DFDB14DF94E9997EEBBB6FF84B00F204519E002A7298CBB41C05DB80
                                Function 069BB2F0 Relevance: .3, Instructions: 325COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9c69acec13126ee53fc43ba8c807693925282ed2dfc8d4403cc2ad40d0911232
                                • Instruction ID: e19221cb00b2ddd251978bece3f36f934c6b0699c9bde9ac0569364e4a847501
                                • Opcode Fuzzy Hash: 9c69acec13126ee53fc43ba8c807693925282ed2dfc8d4403cc2ad40d0911232
                                • Instruction Fuzzy Hash: 3BB16170F102098BEF64CA6DD6907EEB6FAEB89310F205425D409E77D9DE38DC819792
                                Function 069B5EB8 Relevance: .2, Instructions: 229COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4b74efc4cc3e06354d93bce68787e01bd371c21d0c448c15ba7e99c1448eb80b
                                • Instruction ID: 2402a573bf1168c4de720d1c1d8fb4dbfcd8f291c4c9c245d346dd6bfe0ad41d
                                • Opcode Fuzzy Hash: 4b74efc4cc3e06354d93bce68787e01bd371c21d0c448c15ba7e99c1448eb80b
                                • Instruction Fuzzy Hash: 1661B3B1F001214FDB559A7EC8846AFFADBAFC4610B264439E80EDB360DE65DD0287D2
                                Function 069B3F59 Relevance: .2, Instructions: 219COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e3b712e08b522bb6b7741b36f55b4f6a3ddc004d1fc5520f760269ca77c8b956
                                • Instruction ID: 63578093914003a9bc5389a707098ad18f7538ddb231be08a16e28b0203bd065
                                • Opcode Fuzzy Hash: e3b712e08b522bb6b7741b36f55b4f6a3ddc004d1fc5520f760269ca77c8b956
                                • Instruction Fuzzy Hash: C2815030B102069FDF44DBA9D59479EB7F6EF89704F208429D40AEB395EB35EC429B81
                                Function 069B4274 Relevance: .2, Instructions: 218COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5d7e9680244a3393fea3e5efeb04330893ca0f9a16c78d84baf47c1ff11299a1
                                • Instruction ID: 447ea41129a1f2cf44147df3f5d6e76e54fcef597530e8f80581f151076f7588
                                • Opcode Fuzzy Hash: 5d7e9680244a3393fea3e5efeb04330893ca0f9a16c78d84baf47c1ff11299a1
                                • Instruction Fuzzy Hash: 2E914D70E006198BDF60DF68C980BDDB7B1FF89704F208699D449AB355EB70A985CF91
                                Function 069B3F68 Relevance: .2, Instructions: 218COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 30b97c35528f868de67e442b8fbb07c5d0b63badcfeef4d5af2f6ed382a6c6bf
                                • Instruction ID: c5c4c470388f5618f9718a937aa7fefdaf5b4ed798024576811aa11549438c79
                                • Opcode Fuzzy Hash: 30b97c35528f868de67e442b8fbb07c5d0b63badcfeef4d5af2f6ed382a6c6bf
                                • Instruction Fuzzy Hash: 8E816030B1020A9FDF44DBA9D59479EB7F6EF89704F208429D40ADB385EB35EC429B81
                                Function 069B4288 Relevance: .2, Instructions: 210COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a841de48722fab1d8c1ba1d85110457b9f9c2f90ff295942d3db555be511cfed
                                • Instruction ID: beaf80dba122d4dbd4718c79b3286fd7639136f6793f42f00dd2929c0e31d2eb
                                • Opcode Fuzzy Hash: a841de48722fab1d8c1ba1d85110457b9f9c2f90ff295942d3db555be511cfed
                                • Instruction Fuzzy Hash: CB913C30E006198BDF60DF68C980BDDB7B1FF89704F208699D549AB355EB70AA85CF91
                                Function 069BEBE2 Relevance: .2, Instructions: 204COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fd4f84f43fc18ae3ecfc9037b27108e619989d618cec07da752f626ae71c1202
                                • Instruction ID: b958fa29a586311ed8844febd73d66512343c90abec9ba683c8b5eb759f436cc
                                • Opcode Fuzzy Hash: fd4f84f43fc18ae3ecfc9037b27108e619989d618cec07da752f626ae71c1202
                                • Instruction Fuzzy Hash: 76714E70A002199FCB54DFA9DA80AEDBBFAFF84300F249529D409EB655DB30EC46CB51
                                Function 069BEBF0 Relevance: .2, Instructions: 201COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 855f3dea4c6a3256ec48eed08f7da4e79c5f3b3b85632ea6de0b75977654c1b3
                                • Instruction ID: 5a89921f4c09735d1bddd1f86e5f6e425388c4aa6fc4e4c1ea846977c1c70f30
                                • Opcode Fuzzy Hash: 855f3dea4c6a3256ec48eed08f7da4e79c5f3b3b85632ea6de0b75977654c1b3
                                • Instruction Fuzzy Hash: BF711D70A002199FDB54DBA9DA90AEDBBFAFF84300F249529D409EB754DB30EC46CB51
                                Function 069BF700 Relevance: .2, Instructions: 174COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 69c9cc73170218d3adf93e42b8a4f0c4a4027e61849bd56adb49c229814c145c
                                • Instruction ID: 201daaf75bc0b85f4f712d0d4c07bccd345a7d398e0e7e2b9b59b98514769641
                                • Opcode Fuzzy Hash: 69c9cc73170218d3adf93e42b8a4f0c4a4027e61849bd56adb49c229814c145c
                                • Instruction Fuzzy Hash: 2F51C470B302149BEF645769DE907AE269ED789701F30142AE10EC7B95CF6DCC81D3A2
                                Function 069BFD68 Relevance: .2, Instructions: 171COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3111319b82ca2808c333c25f9938d491b453d8a987d98e9ce0c81f68cc5f5b70
                                • Instruction ID: e62168f32ce05a4c19eba65e0b6249d6177ee56d108b51e9298a0ac128eae1b2
                                • Opcode Fuzzy Hash: 3111319b82ca2808c333c25f9938d491b453d8a987d98e9ce0c81f68cc5f5b70
                                • Instruction Fuzzy Hash: 2E511131E001059FCF24EB78EA546ADBBBAFF85315F20886AE10AD7650DB359D45CB81
                                Function 069BF710 Relevance: .2, Instructions: 163COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ad7c654d6ff34014a7c594976cd38552a9822e5cdad6a6a5e0706d349ab194c8
                                • Instruction ID: 3c62a57d9f9af8360a351497027b54230e76fecae13db31bbea51a31ff5c4098
                                • Opcode Fuzzy Hash: ad7c654d6ff34014a7c594976cd38552a9822e5cdad6a6a5e0706d349ab194c8
                                • Instruction Fuzzy Hash: 1E51B270B302149BEF64566DDE947AE269EE78D711F30042AE10EC7B94CF6DCC8193A2
                                Function 069B45A8 Relevance: .2, Instructions: 161COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b49e7bba0a31c6d412e88a5e7ce5bc6341cc0a928162908c4605ced5243796f5
                                • Instruction ID: 4e9f72fac94d0a0bfecc7ee2c73b7209ce95183cc126b040839dbad7ffa63abd
                                • Opcode Fuzzy Hash: b49e7bba0a31c6d412e88a5e7ce5bc6341cc0a928162908c4605ced5243796f5
                                • Instruction Fuzzy Hash: DC519F30F101049FDB64DB69C684BAEBBEAFF89B14F208529E40ADB755CA75DC41CB81
                                Function 069B5249 Relevance: .1, Instructions: 148COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 762337953af780834a662245fd82824c1a15d572442c06d9fed199af0ec0f8e5
                                • Instruction ID: 1f1b1c1796a303ad6093cbf1ee9e330b32c64fe652f7a58018c21589b81cd064
                                • Opcode Fuzzy Hash: 762337953af780834a662245fd82824c1a15d572442c06d9fed199af0ec0f8e5
                                • Instruction Fuzzy Hash: E651AD70E0060A8BDF648F68C6807AEBBB6FB49310F359926E415DBB81C774D881CB91
                                Function 069B50D8 Relevance: .1, Instructions: 126COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 71ac42847a573e94d1702343ade33723e8db97765ba211856c6ada56e5338884
                                • Instruction ID: 121ac6e481e7c80de0465c97ae4e1444d1e63289d85db0c445da2f92975ab023
                                • Opcode Fuzzy Hash: 71ac42847a573e94d1702343ade33723e8db97765ba211856c6ada56e5338884
                                • Instruction Fuzzy Hash: 15415B71E006099FDF70CEA9D9C0AAFF7B6FB84310F21592AE216D7A50D331E8458B90
                                Function 069B4598 Relevance: .1, Instructions: 116COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 91f525dd9d60248f1fb5ce55860a55a4648270a8ffdfa7514254f2b2c32d668b
                                • Instruction ID: 5638a4f4de386c5ec34eafb9d41261f6470e60f2b22ec6f1766ce6c53922dd6f
                                • Opcode Fuzzy Hash: 91f525dd9d60248f1fb5ce55860a55a4648270a8ffdfa7514254f2b2c32d668b
                                • Instruction Fuzzy Hash: 0B41A030E101049FDB64DB69C584BAEBBF6EF89704F208529E00AEB755DA75DC41CB91
                                Function 069B2158 Relevance: .1, Instructions: 97COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 45bde876a50c9d89101811c9d27bd735a83a731301cfc8cd00e5fc06e683683d
                                • Instruction ID: 526b538c5e31e1fa68d8d26f08dfb20d95f73c8d22b70153253b0016dc024d4c
                                • Opcode Fuzzy Hash: 45bde876a50c9d89101811c9d27bd735a83a731301cfc8cd00e5fc06e683683d
                                • Instruction Fuzzy Hash: 11319031E106069BCB49CFA4D9946AEB7F6FF89300F148919E816E7740DB74AD46CB40
                                Function 069B2168 Relevance: .1, Instructions: 91COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f758e088fb7db560bc26543aa3a383a8b52d436853cac4789c6d55ca11b0bd4d
                                • Instruction ID: 178e656126f442061258539f907f4296647528673b9f0fdf4b6fca81a490c3f9
                                • Opcode Fuzzy Hash: f758e088fb7db560bc26543aa3a383a8b52d436853cac4789c6d55ca11b0bd4d
                                • Instruction Fuzzy Hash: 8931A231E1060A9BCB49CFA5C9946AEB7F6FF89300F148919E816EB740DB74ED46CB40
                                Function 069B50C8 Relevance: .1, Instructions: 80COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 907a191ae0567068e2986cf9d4bd5918cb91997b82a9e92ec7cbb6174f29c375
                                • Instruction ID: 465c217cf822569fdd73c5637f05232218071812f1ec65cc50e566b375da503c
                                • Opcode Fuzzy Hash: 907a191ae0567068e2986cf9d4bd5918cb91997b82a9e92ec7cbb6174f29c375
                                • Instruction Fuzzy Hash: 26218D71E00A059FDF60CEA9CDC57AFB7B6FF84310F255929E116A7A50C330E8468B80
                                Function 069B3B70 Relevance: .1, Instructions: 78COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f7ed1aa0cb55b60bcd8433efc4477a0a1d8945f07ff1322a90d77c5daae029d9
                                • Instruction ID: 036d3afb9ea85bd1771d200ba9aa222659f2780ec8f7d461340571bea3650d10
                                • Opcode Fuzzy Hash: f7ed1aa0cb55b60bcd8433efc4477a0a1d8945f07ff1322a90d77c5daae029d9
                                • Instruction Fuzzy Hash: C8218975E002159FDB40CFBAD980AAEBBF5EB48710F108029E909E7390E734DC418B95
                                Function 069B3B61 Relevance: .1, Instructions: 78COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 16887496edfc6f5456885f75cf1fdb9938ec7acc4b93a0ad801bd371eb59c274
                                • Instruction ID: 40189f0de41f10f05c59c117ef8656215bc3c3961a9c3c005dd7547284d39dba
                                • Opcode Fuzzy Hash: 16887496edfc6f5456885f75cf1fdb9938ec7acc4b93a0ad801bd371eb59c274
                                • Instruction Fuzzy Hash: D4213975E002159FDB40DFBAE980AAEBBF5EB48710F10942AE905E7390E734ED418B95
                                Function 0138D044 Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.2919859100.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_138d000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: dc5c9847891ad39b2c5c933010a05f6297572c9ad91e0681c2dcb48853372703
                                • Instruction ID: a6d09c08c999069c36616bd83955f86926db1bd2c6f48202a68e2bfb5aec2971
                                • Opcode Fuzzy Hash: dc5c9847891ad39b2c5c933010a05f6297572c9ad91e0681c2dcb48853372703
                                • Instruction Fuzzy Hash: 5F21F5B1604304AFDB15EF58C9C4B26BBA5FB84318F24CA6DE94A4B382C736D447CA61
                                Function 069B6DE8 Relevance: .1, Instructions: 68COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 22a3d0e38bac84993996521b1d86d676284d895af850df4e405c623c0ca67ab0
                                • Instruction ID: 02d81521e0969b026813970cd850a8e15968ca923a9230a52ec5c76053fb16ab
                                • Opcode Fuzzy Hash: 22a3d0e38bac84993996521b1d86d676284d895af850df4e405c623c0ca67ab0
                                • Instruction Fuzzy Hash: 4E21E430B100199FDF44DB69EA506EEB7B6EBC4310F248525D409EB740DB30EC528BC0
                                Function 069B3C80 Relevance: .1, Instructions: 59COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 02a5d71de7ecc5677552db51de64ec1ae8b451d42b4a4641606f65a217fc8eac
                                • Instruction ID: 086b2bc077a3bac99c0c9afcbcf5dcd636bd75a361163e62f50913f957350979
                                • Opcode Fuzzy Hash: 02a5d71de7ecc5677552db51de64ec1ae8b451d42b4a4641606f65a217fc8eac
                                • Instruction Fuzzy Hash: 72115E35B141295FDF54D678D9546EF77AAEBC9210F11853AD80AE7340EE24DC028BD1
                                Function 0138D03F Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.2919859100.000000000138D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0138D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_138d000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                • Instruction ID: 006ef364fda4c8f5341504fa064161230c2a64210ed5d6c504404671ef0d1d9c
                                • Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                • Instruction Fuzzy Hash: 7111BBB5504384CFDB12DF54C9C4B15BBA2FB84328F24C6A9D8494B292C33AD44ACB62
                                Function 069B3EB7 Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7c1452818bc6385121ad3891679d549302de2a68db2d39eaf9bd9a8e0074b770
                                • Instruction ID: 1be8920246674cffcfea4db389d099a7c8a005d131b221a939cd04274ef98a40
                                • Opcode Fuzzy Hash: 7c1452818bc6385121ad3891679d549302de2a68db2d39eaf9bd9a8e0074b770
                                • Instruction Fuzzy Hash: 7401D432F000114FEB21C66E955476EA7EAEB89715F24887EF00EC7785EA68DC028792
                                Function 069BEE61 Relevance: .1, Instructions: 52COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 39e5ca775f9f6549a8e78de5d8baf7b06a369a012dc8dde255652aac228642a9
                                • Instruction ID: 6d31d19e94a84f4be2d38bfc1e6c9674cdb89c8a50faacf243e7daca570312ce
                                • Opcode Fuzzy Hash: 39e5ca775f9f6549a8e78de5d8baf7b06a369a012dc8dde255652aac228642a9
                                • Instruction Fuzzy Hash: 0501DF31B104145BCB65EA6DD498BBE77DEEBC9610F248829F10AC7380DE29EC024389
                                Function 069B3940 Relevance: .1, Instructions: 52COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ca4ef1f03c490d7ea5035856370f7fabb27159f5e4f4ceb2726b50c13ca617e7
                                • Instruction ID: c7a58b61f8c9668876ff003a3463f68ffa5417687df3dd445f507ff74a079b55
                                • Opcode Fuzzy Hash: ca4ef1f03c490d7ea5035856370f7fabb27159f5e4f4ceb2726b50c13ca617e7
                                • Instruction Fuzzy Hash: 9B11C0B5D01259AFCB00DF9AD984ADEFFB4FB48310F50812AE518A7240D374A554CBA5
                                Function 069B3EC8 Relevance: .1, Instructions: 51COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bcc3ba1b7bec5ec5949b68cbaf51f7e146f674e570c5047aca53184c4c232b96
                                • Instruction ID: aeb82b4a8b438c1eabe54b72d19aec825f1d9bd23089454d044324a6a9af1a75
                                • Opcode Fuzzy Hash: bcc3ba1b7bec5ec5949b68cbaf51f7e146f674e570c5047aca53184c4c232b96
                                • Instruction Fuzzy Hash: 4501D131B100110BEB60D56EA45076FA6EEDBC9724F20883AF10EC7784DE65DC028385
                                Function 069B3939 Relevance: .1, Instructions: 51COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b7f881b1f0fcbbd76f43d2899cbf668efded1619a5b11b41f526e04f77934d2e
                                • Instruction ID: 4c378de4b1a1abde8e5b93adcfeca744c60670dc1518ac754f22fd305a267012
                                • Opcode Fuzzy Hash: b7f881b1f0fcbbd76f43d2899cbf668efded1619a5b11b41f526e04f77934d2e
                                • Instruction Fuzzy Hash: B721CEB5D01219EFCB00DFAAD984ADEFBB4BB48310F50812AE918B7340D378A554CFA4
                                Function 069BA3D1 Relevance: .0, Instructions: 50COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9e0227a47ce4049db8bb75f56f4fa11c0b853295142bed75cb510bf7028100fb
                                • Instruction ID: 9f4b95bb68572817e9c30dc256af9dc8892ffadb59500f6f2483a393aa0a38c0
                                • Opcode Fuzzy Hash: 9e0227a47ce4049db8bb75f56f4fa11c0b853295142bed75cb510bf7028100fb
                                • Instruction Fuzzy Hash: 0C012631B001141FCB60D62DE9647AA77EAEB8A714F209839F40FC7784EE29EC4287C1
                                Function 069B3C71 Relevance: .0, Instructions: 50COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 286af4adc131443c950c9aba892a2de6e807a8a16b1952de684cdb59417a9fc6
                                • Instruction ID: 74caebfd1606855517bb5ebe0abe75248bec7f4f9ce73ffdf8867a5a8c0ae25a
                                • Opcode Fuzzy Hash: 286af4adc131443c950c9aba892a2de6e807a8a16b1952de684cdb59417a9fc6
                                • Instruction Fuzzy Hash: 3D018B76B100285BDB9495A8ED157EF62AE9BC8210F119536D90AE7680EE249C0247D2
                                Function 069BEE70 Relevance: .0, Instructions: 49COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 27dd4a5d22df4153be25d0e7baa7aa19c3064818b18b0862a054828ff4f07367
                                • Instruction ID: ed1f12e89b62e5b33a05f952d30ea696621321794408f1096640bcc9780c297c
                                • Opcode Fuzzy Hash: 27dd4a5d22df4153be25d0e7baa7aa19c3064818b18b0862a054828ff4f07367
                                • Instruction Fuzzy Hash: 9901A431B100155BCB65A63D95947BE77DED7C9750F208839F10EC7380EE29DC024385
                                Function 069B6508 Relevance: .0, Instructions: 48COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8a0eb891bbd723e3ccb244075ce957287a5e3616e1e2cc6432a93f0c520f6a88
                                • Instruction ID: ded6da83de059ed0d3e20d43b7dd2c9305b2f6fdcdcd7c5b302bce8e5680ea1f
                                • Opcode Fuzzy Hash: 8a0eb891bbd723e3ccb244075ce957287a5e3616e1e2cc6432a93f0c520f6a88
                                • Instruction Fuzzy Hash: DA016DA191D3945FDB02DB7889642C63FB89F42204F1604E3C484CF193E525D909C7AA
                                Function 069BA3E0 Relevance: .0, Instructions: 46COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d1f3b6c822c592e9c9aabf24c608fbd52e79af34bff9219da78eb55cb563c715
                                • Instruction ID: 56248ba0d7b430572e8e8ff616364ec742a7fa246264ec02ddf4c7d363ed943a
                                • Opcode Fuzzy Hash: d1f3b6c822c592e9c9aabf24c608fbd52e79af34bff9219da78eb55cb563c715
                                • Instruction Fuzzy Hash: 7E01DC30B101141BCB60962DE994B6A77EAEB89714F209839E00EC7784EE29EC428BC1
                                Function 069BFD58 Relevance: .0, Instructions: 33COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ae77313ed4218bc68c320adedb39b6ae6464edc65a97a2af9f3a67db7cc077c5
                                • Instruction ID: 9f87aa7ab6375ed6c96a861773632119c8d8714891070e16b81d1f5b8d14079f
                                • Opcode Fuzzy Hash: ae77313ed4218bc68c320adedb39b6ae6464edc65a97a2af9f3a67db7cc077c5
                                • Instruction Fuzzy Hash: 33F02B32B211147FCB145D75EC084DBB72EEBC4321B10043AE505F3240CA32481787D0
                                Function 069B6550 Relevance: .0, Instructions: 22COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d138504dca74f90a75ddfacdebe15f7230bae778fd5490481d6a20d0052fadb2
                                • Instruction ID: 0983b0e1e74e0886b3b2a0b0dd8e34b4bc06abbbebd8a31ff9cae941e59eeb83
                                • Opcode Fuzzy Hash: d138504dca74f90a75ddfacdebe15f7230bae778fd5490481d6a20d0052fadb2
                                • Instruction Fuzzy Hash: 42E01271E10108ABDF50DEB4CB4979A77ADE741214F3094A5D409D7606E6B6EA11C744

                                Non-executed Functions

                                Function 069B7770 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                • API String ID: 0-2222239885
                                • Opcode ID: 80d4c7720f723003efa91f97d26bd0b58c2ca52630089bff9e19ff37b3ba35fd
                                • Instruction ID: 23286488de65303a2f0a26d488c168f2134dc1edb5bbebc97c4825ed3a16b376
                                • Opcode Fuzzy Hash: 80d4c7720f723003efa91f97d26bd0b58c2ca52630089bff9e19ff37b3ba35fd
                                • Instruction Fuzzy Hash: F3122D30E00219CFDB68DFA5D954AADB7F6BFC4301F209AA9D409AB754DB309D85CB81
                                Function 069BAA00 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                • API String ID: 0-3823777903
                                • Opcode ID: ce3ad4e85a9cebc1c31056efb34efa3039c3dc4e866b39b0658e90af6084a2be
                                • Instruction ID: 301c5c65ac3684c3139506ae84909be0609f8ea2a830314e6686abfc5778e9ec
                                • Opcode Fuzzy Hash: ce3ad4e85a9cebc1c31056efb34efa3039c3dc4e866b39b0658e90af6084a2be
                                • Instruction Fuzzy Hash: 5A91A130E00219DFEB68DF65DA54BAEB7F6FF84301F209429E4069B650DB749C85CB90
                                Function 069B7170 Relevance: 9.2, Strings: 7, Instructions: 405COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
                                • API String ID: 0-390881366
                                • Opcode ID: e17294e512b734591e421733b816b6334ba8d9c4764335950e1d3c914f5761d3
                                • Instruction ID: b44e08ed617f88877e7448f5721608e470ec1a953699b1f2e1417e60ef455def
                                • Opcode Fuzzy Hash: e17294e512b734591e421733b816b6334ba8d9c4764335950e1d3c914f5761d3
                                • Instruction Fuzzy Hash: EEF13E30B10209CFDB55DBA9C594AAEBBB7FF88301F248568D4069B754DB75AC82CB81
                                Function 069B84A0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID: $^q$$^q$$^q$$^q
                                • API String ID: 0-2125118731
                                • Opcode ID: f6ef98ebf14f8ec792e681d508b34444f9ad80348f99c895d466ddb5831220d4
                                • Instruction ID: 51eb42948f6a3d96faab9ca6e2f207586c63a6c8b1739ef1f7ca5c6507211b19
                                • Opcode Fuzzy Hash: f6ef98ebf14f8ec792e681d508b34444f9ad80348f99c895d466ddb5831220d4
                                • Instruction Fuzzy Hash: CCB14D30E00219CFDB64EB69C69469EB7BAFF88305F249829D406DB754DB75DC82CB81
                                Function 069B88B8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID: LR^q$LR^q$$^q$$^q
                                • API String ID: 0-2454687669
                                • Opcode ID: cd4c1d05f86b06e62a495dc0b28716e2b343d51031498092c4a5a7acc26b18b6
                                • Instruction ID: 6922728243183e4c9daeabe94fb9e2211e25cf5bc11820354457f528b7cb32b5
                                • Opcode Fuzzy Hash: cd4c1d05f86b06e62a495dc0b28716e2b343d51031498092c4a5a7acc26b18b6
                                • Instruction Fuzzy Hash: 5951C530B002059FDB54DB79CA44AAEB7FAFF88310F149968E4069B7A4DA35EC41CB91
                                Function 069BAD88 Relevance: 5.2, Strings: 4, Instructions: 159COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.2925300926.00000000069B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_69b0000_AddInProcess32.jbxd
                                Similarity
                                • API ID:
                                • String ID: $^q$$^q$$^q$$^q
                                • API String ID: 0-2125118731
                                • Opcode ID: 3879bdf7d921164566a359ac0949d73eaa3f65489041864e2e3cc0c3db7ed85d
                                • Instruction ID: 5bccc17ec4f5c8a19196d831bb0a306dc72f8c747f0751b56f694ea52340b849
                                • Opcode Fuzzy Hash: 3879bdf7d921164566a359ac0949d73eaa3f65489041864e2e3cc0c3db7ed85d
                                • Instruction Fuzzy Hash: CD518170E102058FDF65DB68D6906EEB7B6EB84301F20992AE406DB754DB34EC42CB81